LINUX File System Findings
Everything in Linux is a File
The phrase "Everything in Linux is a File" is a cornerstone of the operating system's philosophy. But what does that actually look like when you stop reading textbooks and start poking around a live system?
I explored an Ubuntu 24.04.4 LTS environment not just to learn commands, but to investigate why these files exist and what would break if they didn't. Here are 10 meaningful findings from that journey.
01. User Identity, Split in Two
Files: /etc/passwd & /etc/shadow
Linux separates identity from security. While /etc/passwd contains user details (UID, home directory, shell), you'll notice an x in the password field. This is a redirect to /etc/shadow, which holds the actual password hashes.
Why?
/etc/passwdmust be world-readable so programs can resolve usernames.Security: By moving hashes to the root-only
/etc/shadow, Linux prevents standard users from running offline dictionary attacks against account credentials.
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
....
02. The Name Resolution Conductor
File: /etc/nsswitch.conf
Most assume hostnames go straight to DNS, but /etc/nsswitch.conf dictates the order. A line stating hosts: files dns means the system checks /etc/hosts first. This architecture allows for graceful degradation; a system can still resolve localhost via local files even if the network is down or resolv.conf is empty
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files systemd sss
group: files systemd sss
shadow: files systemd sss
gshadow: files systemd
....
03. Your Routing Table Lives in RAM
File: /proc/net/route
There is no static "routing config file" the kernel reads. Instead, /proc/net/route is a virtual file representing the kernel's live, in-memory state.
The Data: Values are stored in little-endian hexadecimal.
The Reality: Tools like
ip routedon't read a config; they interact directly with this dynamic kernel data structure.
Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT
wlp2s0 00000000 BB90EE0A 0003 0 0 600 000000000 0 0
wlp2s0 0090EE0A 00000000 0001 0 0 600 00FFFFFF0 0 0
04. X-Ray Vision Into a Running Process
Files: /proc/[PID]/maps & /proc/[PID]/fd
Every process has a dossier in /proc.
Memory Layout: The maps file shows memory regions and permissions (r, w, x). Separating read-only code from read-write data is a core security mechanism against buffer overflows.
File Descriptors: The fd directory reveals where stdin, stdout, and stderr are pointing—often pipes in a containerized environment.
00400000-00452000 r-xp 00000000 fd:01 123456 /usr/bin/cat
00651000-00652000 r--p 00051000 fd:01 123456 /usr/bin/cat
00652000-00653000 rw-p 00052000 fd:01 123456 /usr/bin/cat
7f7d84000000-7f7d84200000 rw-p 00000000 00:00 0
7f7d85c00000-7f7d85d00000 r--p 00000000 fd:01 654321 /usr/lib/x86_64-linux-gnu/libc.so.6
total 0
lrwx------ 1 user user 64 Apr 22 14:30 0 -> /dev/pts/0
lrwx------ 1 user user 64 Apr 22 14:30 1 -> /home/user/output.log
lrwx------ 1 user user 64 Apr 22 14:30 2 -> /dev/pts/0
lr-x------ 1 user user 64 Apr 22 14:30 3 -> /usr/lib/x86_64-linux-gnu/libc.so.6
05. The Kernel’s Live Control Panel
Directory: /proc/sys/net/ipv4/
The /proc/sys/ tree allows you to tune the kernel in real-time without a reboot.
ip_forward: Writing a 1 here instantly turns your machine into a router.
tcp_syncookies: A built-in defense against SYN flood DDoS attacks.
Persistence: These changes are ephemeral. To make them survive a reboot, they must be written to /etc/sysctl.conf.
06. The Devices That Don't Exist
Files: /dev/null, /dev/zero, /dev/random
Not every file in /dev represents physical hardware. Some are synthesized by the kernel to solve specific problems:
/dev/null: The "black hole" for silencing output.
/dev/zero: Provides infinite zero bytes for wiping disks.
/dev/random: Generates secure random bytes from system entropy.
Conclusion
The Linux file system isn't just storage; it is the primary interface between userspace and the kernel. By exposing internals as files, Linux allows you to inspect and control the system with simple tools like cat and echo. It is a design that values transparency, trusting the user to look inside and understand the machine.
