Linux File Hierarchy Standard

I spend a considerable amount of time on Linux machines, but I've never really known what the different directories were used for. From /home inward is similar enough to what I was used to on Windows, with Documents, Downloads, Pictures, etc. being pretty self-explanatory. However, there are several directories of which I do not know the purpose. This post aims to look into them and what they're used for. While I'll be poking around on a Kali VM (for my screenshots), most Linux distros should be set up the same way (or at least very similarly). This is because they follow the Linux Foundation's Filesystem Hierarchy Standard. This is the gold standard for how Linux flavors should organize their directories and the files within.

I guess the best place to start is to define a directory. Wikipedia says: "In computing, a directory is a file system cataloging structure which contains references to other computer files, and possibly other directories." Basically, its a way to keep stuff organized. On Linux, everything falls under the root directory. This is the very top directory which everything will be under. Even if the directory is physically separate. Like a flash drive, for example. It will still show up underneath the root directory.  As you can see, there's a handful of directories directly underneath the root which branch out into their own sub-directories.

So let's start working our way down them. First off, /bin. This directory is used to house anything that is ready to run. Due to the directory being in PATH by default, you can simply type any of the items in the directory on the command line and they will run.

The /boot directory is used for exactly that. This directory holds the configuration files for booting up the system.

The /dev directory contains device files. These include things like drive partitions, DVD, and USB devices. It is mostly broken up into block or character devices. "In general, 'block devices' are devices that store or hold data, 'character devices' can be thought of as devices that transmit or transfer data." For example, hard drives hold data and therefore would be a block device. The keyboard would be a character device as it sends data. This also includes tty which is the PC monitor. So essentially, this directory holds all the "stuff" connected to the computer that the OS has access to.

Next up is the /etc directory. When I think of etc , my mind goes straight to etc/passwd and etc/shadow . This is where Linux stores user info and password hashes respectively. However, /etc contains much more than that. It contains all the configuration files for the system. Each of the below files or directories contain the associated configuration file. Several of them even have the .conf extension making it pretty clear what their purpose is.

One important directory in here is /apt which contains information related to the APT. " APT (for Advanced Package Tool) is a set of tools for managing Debian packages, and therefore the applications installed on your Debian system ." It allows for the very user-friendly installation and update method found on Kali and other Linux flavors. Inside the same directory is the sources.list file which tells APT where to pull the packages from.

The /home directory contains a folder for each (non-root) user. These folders can generally only be accessed by the user they were created for. As I mentioned at the top of the post, its similar enough to the "Desktop environment" you get on Windows. Users will have directories to store their documents, pictures, downloads, and so on.

/lib is the directory used to store all the kernel modules and shared library images. These files are needed to boot the system and for basic system functionality. These files have the .so extension and are similar to Windows DLL files.

In the case of a crash or power failure, the next boot will kick off a filesystem check. Fsck will go through the system looking for any corrupted files. Any files that are damaged but recovered will be placed in the /lost+found directory. These files won't always be complete or readable, but there might be something that you'll be glad was saved.

Next up is the /media directory. Similar to /mnt, this directory is used for mount points such as CD drives or USB sticks. The idea behind its creation was to move removable media out of the / directory. This avoids having a large number of extra directories within the root directory.

As previously mentioned, the /mnt directory is where you can mount filesystems or devices. This allows the system to access the newly mounted filesystem. During an engagement, you might come across an NFS share. This directory would be used to mount that share and then go exploring it. To mount something, you can use the mount command. It takes two arguments, the device file and the directory you want to mount to. When you are done with the mounted share, use umount to unmount it. You will have to specify either the device file or the mount point.

/opt holds all the software that doesn't come as part of the default installation. Similar to the Program Files folder on Windows. For example, if you install BurpSuite Pro, it will create a directory within /opt.

The /proc directory is unique in that it doesn't hold "real" files. Instead, it holds runtime system information. Almost all the files in this directory have a file size of zero. This is because these files are more of window into the kernel. These files just act as pointers to where the actual process information resides.  Everything running on the system has a process ID. Within this directory, there is a subdirectory for each process. In there, you can see things like how much memory the process is using, the working directory of the process and the status. Since everything is a file, you can also find files that give you information on things like the network protocols via /proc/net, the mounted filesystems via /proc/mounts or the kernel modules loaded via /proc/modules. As an example, that last one would give similar output to the lsmod command.

/root is the same as /home but for the root account.

With Red Hat Enterprise Linux 7, the /run directory is used as a temporary file storage system. It is bind mounted to the /var/run directory. The purpose is to hold non-persistent files. In here, The applications would have to recreate their own files and directories on startup.

Similar to /bin, the /sbin directory contains binaries. Things that can be run straight from the command line from anywhere. However, this directory contains executables used for system maintenance and administrative tasks. The idea behind having both of these isn't for security reasons. Instead, it is meant to provide a partition between commands everyone uses vs commands that are primarily used for admin tasks. Some of the commands found in here are ifconfig, reboot and shutdown.

One of the most important directories on a system is /usr. It contains all the user binaries, their documentation, libraries, header files, etc. Referred to as the User System Resources or UNIX System Resources, this directory is broken up into subdirectories such as: (MAYBE JUST A SCREENSHOT INSTEAD?)

  • /usr/bin/ : Same as for top-level hierarchy
  • /usr/include/ : Standard include files
  • /usr/lib/ : Same as for top-level hierarchy
  • /usr/sbin/ : Same as for top-level hierarchy
  • /usr/share/ : Architecture-independent (shared) data
  • /usr/src/ : Source code (to build debian packages. see also /usr/local/src/)
  • /usr/X11R6/ : X Window System, Version 11 Release 6
  • /usr/local/ : Tertiary hierarchy for local data installed by the system administrator
  • /usr/local/bin : locally compiled binaries, local shell script, etc.
  • /usr/local/src : Source code (place where to extract and build non debian'ized stuffs)

It should also be noted that these files are not required to boot the system.

Finally, the /var directory contains data such as logging files, mail, websites and temporary files. It also contains backups of key system files such as /etc/shadow.

Sources and Inspiration