Skip to content

Linux Filesystem Hierarchy

Forget Windows drive letters completely
Linux uses a single unified tree starting from / (root) where everything hangs off this one point including every file , every directory , every device , every process representation because the Unix philosophy treats everything as files accessible through a hierarchical namespace that makes system navigation logical once you understand the standard directory structure

/ (Root Directory) Only root user has write permissions here by default and if an attacker gains write access to / they essentially own your entire system because they can replace critical binaries or modify boot configuration or plant persistent malware at the foundation level where most security tools don't look for threats

/bin (Essential User Binaries) Critical commands required for system recovery
Tools like ls , cp , cat , bash , grep , ps live here because these binaries must be available even when the system boots into single-user mode for emergency maintenance

/sbin (System Administration Binaries) Commands like fdisk , ip , iptables , reboot , shutdown , init require root privileges to actually modify system state

/etc (Configuration Everything) Every major service stores configuration as human-readable text files in /etc/. Key configs:

  • /etc/passwd - User account info (world-readable)
  • /etc/shadow - Password hashes (root-only)
  • /etc/sudoers - Sudo privilege config
  • /etc/ssh/sshd_config - SSH daemon config
  • /etc/crontab - Scheduled tasks (persistence goldmine)

/home (User Territories) Each user gets /home/username/ as writable space. Often contain SSH private keys , bash history , browser credential databases , API tokens

/var (Variable Runtime Data) Logs , databases , caches , spools. /var/log/ is forensic goldmine

/proc (Process Information Virtual FS) Nothing in /proc/ exists on disk -- all generated by kernel in real-time
/proc/[pid]/cmdline - Process command
/proc/[pid]/environ - Environment variables (credentials leak here)
/proc/net/tcp - Active TCP connections

Security-Critical Paths

Authentication: 

/etc/shadow                      # Password hashes
/etc/passwd                      # User account database
/etc/sudoers                     # Sudo configuration

SSH Keys: 

~/.ssh/id_rsa                    # Private SSH key
~/.ssh/authorized_keys           # Authorized public keys

Application Credentials: 

~/.aws/credentials               # AWS credentials
~/.kube/config                   # Kubernetes config
/var/www/.env                    # Web app env variables