Linux Under the Microscope (Ubuntu): A Deep Filesystem Investigation
When I started this exploration on Ubuntu, I expected to find configuration files and logs. What I actually found was something far more powerful:
The Linux filesystem is not just storage—it is the interface to the entire operating system.
Everything-processes, kernel state, hardware, networking, permissions—is exposed as files. But the deeper I went, the more I realized that these pieces are interconnected in ways that are not obvious at first glance.
This blog documents my findings as a system investigator.
1. The Filesystem Isn’t What It Seems
At first glance, Linux looks like a normal directory tree:
/ (root)
├── etc
├── var
├── proc
├── sys
├── dev
But not all of these are “real” directories.
🔍 Discovery
mount | grep -E "proc|sysfs|tmpfs"
🖥️ Output
proc on /proc type proc (rw,nosuid,nodev,noexec)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec)
tmpfs on /run type tmpfs (rw,nosuid,nodev)
Insight:
/procand/sysare virtual filesystems/runexists in RAM (tmpfs)
This means parts of Linux:
Don’t exist on disk
Are generated dynamically by the kernel
This completely changes how you think about “files.”
2. /proc: The Kernel’s Live API
The /proc directory is essentially a live API exposed as files.
🔍 Example: CPU info
cat /proc/cpuinfo | grep "model name" | head -1
model name : Intel(R) Core(TM) i5-10210U CPU @ 1.60GHz
This isn’t stored anywhere—it’s generated on request.
Hidden Power: You Can Modify the Kernel Live
🔍 Check max processes
cat /proc/sys/kernel/pid_max
4194304
🔍 Change it
sudo sysctl -w kernel.pid_max=500000
Insight:
/proc/sysallows live kernel tuningNo reboot required
This is like editing the OS while it’s running.
Process Investigation
Each process has deep metadata:
cat /proc/1/status
Name: systemd
State: S (sleeping)
Pid: 1
Uid: 0 0 0 0
What’s interesting:
PID 1 is always
systemdYou can inspect any running process internally
Security Observation
ls -l /proc/1/environ
Only root can read it.
Even process environment variables are protected.
3. /sys: The Kernel’s Hardware Model
While /proc shows processes, /sys reveals how Linux understands hardware.
🔍 Explore devices
ls /sys/block
sda sdb loop0
🔍 Disk scheduler
cat /sys/block/sda/queue/scheduler
[mq-deadline] none
Insight:
You can see how disk I/O is managed
You can even change schedulers
This is direct control over hardware behavior.
CPU Control
cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor
powersave
Meaning:
- CPU adjusts speed dynamically
Linux exposes power management as files.
4. /dev: Devices Are Just Files
🔍 Exploration
ls /dev | head
null
zero
random
tty
sda
Strange but Powerful Devices
/dev/null
echo "hello" > /dev/null
→ Data disappears
/dev/zero
head -c 10 /dev/zero
→ Infinite zeros
/dev/random
head -c 10 /dev/random
→ Random bytes
Insight:
Linux treats:
disks
memory
randomness
all as files.
Programs don’t need special APIs—just file operations.
5. /etc: More Than Just Config Files
Everyone knows /etc is config, but the deeper insight is:
It defines system identity and behavior
User System
cat /etc/passwd
Each line:
user:x:1000:1000:User:/home/user:/bin/bash
Meaning:
UID = identity
Home directory
Default shell
Password Security
sudo cat /etc/shadow
user:\(6\)hashedpassword...
Insight:
Passwords are hashed using SHA-512
Stored separately from
/etc/passwd
Separation improves security.
Hidden Behavior: /etc/nsswitch.conf
cat /etc/nsswitch.conf
hosts: files dns
Meaning:
Check
/etc/hostsfirstThen DNS
This controls how name resolution works internally
6. DNS Is a Chain, Not a File
🔍 Investigation
systemd-resolve --status
Shows:
DNS servers
Interfaces
Cache
Hidden layer:
ls /run/systemd/resolve/
Actual runtime DNS data lives here.
Insight:
DNS involves:
/etc/resolv.confsystemd-resolved
NSS config
cache
It’s a multi-layer pipeline, not a single file.
7. /var: Where the System Evolves Over Time
Unlike /etc, /var is constantly changing.
Logs
ls /var/log
syslog
auth.log
kern.log
APT history (Ubuntu-specific)
cat /var/log/apt/history.log
Shows:
installed packages
removed packages
You can reconstruct system changes.
Crash Reports
ls /var/crash
Stores application crash dumps
Insight:
/var is the historical memory of the system
8. /run: The Ephemeral Brain
🔍 Exploration
ls /run
systemd
network
user
Key fact:
Stored in RAM
Cleared on reboot
Example:
cat /run/utmp
Tracks logged-in users.
Insight:
/run = current system state only
9. Boot Process Hidden in Files
🔍 /boot
ls /boot
vmlinuz
initrd.img
grub/
What happens:
BIOS loads GRUB
GRUB loads kernel (
vmlinuz)Kernel loads init system (
systemd)
Hidden detail:
initrdprepares environment before real root filesystem loads
Boot is a multi-stage file-driven process
10. systemd: The System Controller
🔍 Explore services
systemctl list-dependencies
Shows dependency tree.
Example:
systemctl cat ssh
Shows service config file.
Insight:
systemd uses:
unit files
dependency graphs
Boot is not sequential—it’s parallel and dependency-based
11. File Permissions: Silent but Powerful
🔍 Example
ls -l /etc/shadow
-rw-r----- 1 root shadow
Meaning:
- Only root can read
Special bits:
ls -l /usr/bin/passwd
-rwsr-xr-x
Insight:
s(setuid) allows temporary privilege escalation
This is how normal users change passwords securely.
12. Environment Behavior (Hidden Influence)
🔍 Check environment
printenv | head
Config files:
/etc/environment/etc/profile~/.bashrc
Insight:
Environment variables control:
PATH
program behavior
default tools
Small changes here affect the entire system.
13. One Mind-Blowing Realization
After exploring everything, one idea stands out:
Linux does not hide complexity—it exposes it uniformly
Everything maps to files:
| System Component | Location |
|---|---|
| Processes | /proc |
| Hardware | /sys |
| Devices | /dev |
| Config | /etc |
| Logs | /var/log |
| Runtime state | /run |
Exploring Linux like this feels less like using a computer and more like:
Reverse-engineering a living system through its filesystem
