CoursesLinux essentialsThe shell & filesystem

The filesystem hierarchy

What lives where, and why it matters.

Beginner10 min · lesson 3 of 25

Linux directories are not arbitrary — the Filesystem Hierarchy Standard gives each a defined purpose, and knowing the map means you can find things on any distribution. The essentials: /etc holds system configuration (text files you edit to configure services), /var holds variable data that changes at runtime (logs in /var/log, spools, caches), /home holds users’ personal directories, and /root is the root user’s home. These four are where you will spend most of your time.

The directories you will actually use
configuration & data
/etc
system + service config (text files)
/var/log
logs — where you investigate
/home, /root
user home directories
/tmp
temporary, world-writable, wiped on reboot
programs & the kernel
/usr/bin, /bin
installed programs
/proc, /sys
live kernel/process info (virtual)
/dev
devices as files
Config in /etc, logs in /var/log, programs in /usr/bin, live system state in /proc. That map covers 90% of daily work.

/proc and /sys: the system as files

A distinctive Linux idea: /proc and /sys are not real files on disk but live views of the kernel and running processes, presented as a filesystem you can read with normal tools. /proc/<pid>/ shows everything about a process; /proc/cpuinfo shows the CPU; /sys exposes kernel and device settings. This "everything is a file" design is why the same cat and grep you use on configs also let you inspect the live kernel — and it is central to how the security tooling later works.

terminal
$ cat /proc/loadavg # current system load
$ cat /proc/$(pgrep -n sshd)/status | head # live info about a process
$ ls /proc/1/ # PID 1 (init/systemd) — a directory of live state

Why the layout is a security concern

The hierarchy is not just tidiness — it tells you where to look and what to protect. Secrets and credentials tend to live in /etc and users’ home directories; evidence of what happened lives in /var/log; /tmp is world-writable and a classic place attackers drop tools. Knowing the map means you know where to hunt during an incident and which directories deserve the tightest permissions.

/tmp is world-writable — treat it as hostile
By design, any user can write to /tmp, which makes it a favorite staging ground for dropped payloads and a source of "temp file" attacks (a program trusting a predictable /tmp path an attacker pre-created). Do not store anything sensitive there, be wary of scripts that write predictable /tmp filenames, and know that many hardened systems mount /tmp with noexec so binaries cannot be run from it.