Useful Linux Files/Folders

I like to jot down the things I learn as I go along; it helps me to remember. I’ve reproduced this list of useful Linux files and folders which will hopefully grow over time, to represent those I have encountered. I figure if I write them here, they might be of use to others too. The majority can be explored with cat, a pager or a text editor.

/

root directory that must contain:
bin boot dev etc lib media mnt opt sbin srv tmp usr and var subfolders

FOLDER

~/.forward

Mail forwarding configuration FILE

SYNTAX for line in file:

mrnoobot, mrsnoobot
#forwards to specified users

mrnoobot, "|/usr/bin/vacation"
#forwards to user and runs program

/boot

contains Linux kernel and bootloader files FOLDER

/boot/efi

contains Linux kernel and bootloader files (EFI)

/boot/grub/grub.conf

The GRUB bootloader configuration file. FILE

Notable sections:

GLOBAL OPTIONS
default = 0 #title to boot to by default
fallback = 1 #title to boot to if default fails
timeout = 5 #time to choose boot option
splashimage = /grub/splash/image.jpg #background image
hiddenmenu #hides all but default title unless key is pressed
password Password123 #password needed to use GRUB CLI

TITLES
#denote available operating systems
root(hd0,2) #provides location of boot directory using hd syntax
kernel #image file and parameters to be passed to kernel
initrd #ramdisk to match kernel
password #when used in title, password must be entered before booting that title
password --md5 <MD5HASH> #uses an encrypted password for password functions (safer). Can be generated using grub-md5-crypt
rootnoverify #specifies bootable non-Linux operating systems
chainloader +1 #specify path to bootloader on non-Linux bootable OS OR +1 if it is in the first sector of the partition

/dev

pseudo-filesystem that represents all devices currently connected to the Linux system. FOLDER

/dev/sda1
#represents SATA/SCSI/USB device A partition 1
/dev/hdb2
#represents IDE device b partition 2

/etc/adjtime

Log FILE of the hardware clock first setting and subsequent adjustments.

/etc/apt/sources.lst

configuration file for locating package repositories (Debian) FILE

/etc/at.allow

FILE which specifies a list of users (one per line) who are permitted to use the at command. By default all users are allowed to use the command if it is installed and this file does not exist. 

If this file exists, then /etc/at.deny should NOT exist

/etc/at.deny

FILE which specifies a list of users (one per line) who are NOT permitted to use the at command. By default all users are allowed to use the command if it is installed and this file may not exist (or will be empty). 

If this file exists, then /etc/at.allow should NOT exist

Adding a user to this file will not affect any existing at jobs that user has created. These should be removed manually using atrm

/etc/chrony.conf

FILE for configuring the chronyd time service (an alternative to network time protocol for high latency environment)

pool <address> #specifies NTP server pools
logdir #specify location of log files
server #server address to use
keyfile #location of authentication information for NTP servers
driftfile #location of file to monitor drift for correction
allow <IP or subnet> #hosts that can use this server
deny <IP or subnet> #hosts that may not use this server

/etc/cron.allow

FILE which specifies a list of users (one per line) who are permitted to use the crontab command. By default all users are allowed to use the command and this file does not exist. 

If this file exists, then /etc/cron.deny should NOT exist

/etc/cron.d

FOLDER containing system crontab (scheduled) jobs that do not require environment variables to be loaded before script execution

/etc/cron.deny

FILE which specifies a list of users (one per line) who are NOT permitted to use the crontab command. By default all users are allowed to use the command and this file does not exist. 

If this file exists, then /etc/cron.allow should NOT exist

Adding a user to this file will not affect any existing cron jobs that user has created. These should be removed manually using crontab -u mrnoobot -r

/etc/crontab

System crontab FILE for the scheduling of tasks.

The file will:
Define the environment for the scripts eg using SHELL/PATH variables
Define the frequency of script execution
Define what user the script will run as
Define a path to the script

User crontab files are similar but only run as the user.

Frequency is established by defining the following:
minutes (0-59)
hours (0-23)
day of the month (1-31)
month (1-12)
day of the week (0-7) (0 & 7 == Sunday)

Multiple days/weekdays/months can be specified using comma separation or defining a range with - 

These frequency fields can be replaced by the following keywords:
@reboot
@yearly/@annually
@monthly
@weekly
@daily/@midnight
@hourly

/etc/default/grub

contains entries for default boot FOLDER

/etc/default/locale

As the path suggests, a FILE in which the default locale can be adjusted by changing the LANG variable to an available locale. See also locale command. 

/etc/fstab

file system table - configures filesystems that will be mounted automatically on boot FILE

FORMAT:
UUID/DEV/LABEL MOUNTPOINT FILESYSTEM OPTIONS DUMPBIT CHECKPRIORITY

UUID/DEV/LABEL #lists the uuid, the device or the label
MOUNTPOINT #the point to mount the device on
FILESYSTEM # the filesystem on the device
OPTIONS #any specified options
DUMPBIT #1 for TRUE, 0 for FALSE - available to dump command
CHECKPRIORITY #0 for NEVER - order that filesystems are checked

OPTIONS
ro #read only
rw #read and write
suid #allow suid executes
nosuid #do not allow suid executes
dev #allow device files
nodev #do not allow device files
exec #allow executable files
noexec #do not allow executable files
auto #automatically mount
noauto #do not automatically mount
async #asynchronous writes
sync #synchronous writes
relatime #only update access timestamp if file is modified or metadata changed
defaults #stick to default options

/etc/group

FILE containing list of groups and their members

Four fields delimited by colon:

group_name:password:GID:members

group_name #name of the group
password #unusual but if x indicates password entry in /etc/gshadow
GID #numeric group ID
members #list of users who are members of the group delimited by ,

/etc/grub.d

contains scripts run by GRUB2 FOLDER

/etc/gshadow

similar to /etc/shadow this FILE holds the security information for groups in the /etc/group file

contains four fields delimited by colon :
groupname:password:admins:members

groupname #the group name
password #an encrypted password for the group, if it exists (can prevent use of newgrp command)
admins #users who are group admins
members #users who are normal members of the group

/etc/hosts

FILE deprecated by DNS but still used for bootstrapping, non-internet(isolated) nodes and input for Network Information Services database

FIELDS
<IP ADDRESS>     <HOSTNAME>            <ALIAS>
192.168.24.11     test.noobot.com      noobot

/etc/init/SERVICE.override

Where this FILE exists, it may simply contain the word 'manual'. This will automatically override the .conf file and prevent the service from running automatically.

/etc/init/rc-sysinit.conf

ubuntu variant of /etc/inittab; default runlevel can be amended

DEFAULT_RUNLEVEL = 

See also Shell Commands: runlevel for runlevel descriptions
See /etc/inittab for systemv/Red Hat systems

/etc/inittab

determines which scripts will be executed to provide services at startup FILE

default runlevel can be set in this file (see Shell Commands: runlevel for descriptions)

id:5:initdefault:
#in this line, 5 is the default runlevel and can be amended

SYSTEM V systems. See also /etc/systemd, /etc/init/rc-sysinit.conf

/etc/init.d

contains scripts executed to provide services on startup FOLDER

SYSTEM V systems. See also /etc/systemd

/etc/ld.so.conf

library configuration file - typically points to folder /etc/ld.so.conf.d/ which contains individual package conf files

/etc/login.defs

FILE to manage default settings used when new accounts are created. Does NOT propagate if amended

#setting the range of UID and GIDs available to new users and groups.

UID_MIN #user UIDs start at this value (typically 1000)
UID_MAX #upper limit for UIDs
GID_MIN #group GIDs start at this value (typically 100)
GID_MAX #upper limit for GIDs
#SYS_ #preceding about values indicates the ranges reserved for system users and groups (services)

#setting password aging settings
PASS_MAX_DAYS #max number of days password is valid 99999 never expires
PASS_MIN_DAYS #min number of days a password must be valid 
PASS_WARN_AGE #days before expiry that warning will be generated

/etc/logrotate.conf

Configuration FILE for log file management
Establishes the default log settings, the directory for package logs, and customised settings for individual logs.

SETTINGS
weekly/daily/monthly/yearly	
#Rotation interval

rotate 4	
#number of rotations to retain

compress	
#compress rotated logs

missingok	
#no error if logfile is absent

/etc/mail/aliases

FILE used to configure mail aliases

SYNTAX for each line in file:

noobots: mrnoobot, mrsnoobot, panoobot
#defines the mailgroup noobot and users in the mailgroup

mrnoobot: mrnoobot@mrnoobot.com;mrnoobot@uk.mrnoobot.com
#deliver to multiple addresses for same user

logissues: |/usr/local/bin/issues
#pipes mail to a logging application

chiefnoobot: /dev/null
#deletes all incoming mail for a user  

/etc/netplan

FOLDER containing files that determine how interfaces are configured

/etc/ntp.conf

Configuration FILE for NTP (Network Time Protocol)

Comprises servers to sync with and method (eg iburst); recommended at least 3. If server will include own IP address.

Restricts computers from using the machine as a time server (default ignore) and restricts (whitelists) which computers can access the ntpd service (127.0.0.1 for local host). If server, restrict default will be nomodify nopeer noquery.

Driftfile - a file that monitors the time drift between sync servers and system, ultimately providing for automatic correction

Logfile - location of the ntpd logfile

/etc/passwd

contains user data (not passwords) that may be useful for password cracking when combined with /etc/shadow

Each entry contains seven fields delimited with a colon.

loginID:x:UID:GID:comment:home:shell

loginID #username
x #denotes encrypted password stored in /etc/shadow
UID #user ID number (root is 0)
GID #primary group ID
comment #may contain user/admin customised details
home #absolute path to home directory
shell #absolute path to shell

/etc/rc#.d (# is number between 0 and 6)

A series or directories which define which services are stopped (and started) at specific runlevels (inidcated by the number #) FOLDER

The folder contains symbolic links which not only point to the relevant script in /etc/init.d but also indicate what action to perform with that script

/etc/rc5.d/S85httpd
#S STARTS the httpd service at runlevel 5; priority 85

/etc/rc6.d/K15httpd
#K KILLS the httpd service at runlevel 6; priority 15

The prefix number defines what order the script will run, 11 will run before 15 and so on. The correct values to apply are found in the relevant script under chkconfig

grep chkconfig /etc/init.d/httpd
#displays chkconfig (- OR 345) START KILL where START is the recommended S priority and KILL is the recommended K priority and - indicating that the service does not start automatically OR 345 indicating it starts on runlevels 3, 4 and 5.

/etc/rc.d/init.d

Contains scripts of system services FOLDER

The scripts within can be used to manually start/stop services

/etc/rc.d/init.d/httpd start
#this will start the webserver

see also Shell Command: service which accomplishes the same thing

/etc/resolv.conf

Configuration FILE for DNS resolution

nameserver
 #IP address name server (max 3)

domain
 #domain name used locally

search
 #search list for hostname lookup

sortlist
 #Allow address sort,list specified by IP addresses 

options
 #modify internal variables EG:

attempts: 3 #set retry count for queries to 3

/etc/rsyslogd.conf

Configuration FILE for system logging

Syntax:
FACILITY.PRIORITY                  ACTION
#DESCRIPTION

Facilities:
auth	
#Security and authorization-related commands

authpriv #Private authorization messages

cron	
#The cron daemon

daemon	
#System daemons

ftp	
#The ftp daemon

kern	
#The kernel

lpr	
#The BSD printer spooling system

mail	
#sendmail and other mail-related software

mark    #Timestamps generated at regular intervals

news	
#The Usenet news system

security	
#Same as auth

rsyslog	
#rsyslogd internal messages

user	
#User processes

uucp	
#Reserved for UUCP

local0 to local7	
#Eight flavors of local message

Priorities (low to high):
debug	
#For debugging only

info	
#Informational messages

notice	
#Things that might merit investigation

warning (or warn)	
#Warning messages

err	
#Other error conditions

crit	
#Critical conditions

alert	
#Urgent situations

emerg (or panic)	
#Panic situations
WARN and PANIC are deprecated

SELECTOR = FACILITY.PRIORITY
Example selectors:
*.*	
#All facilities and priorities

*.info	
#All facilities at info priority or higher

kern.*	
#Select all kernel messages

mail.warning	
#Messages from the mail facility at a warning priority or higher

cron,lpr.err	
#Messages from the cron or lpr facility at an err priority or higher

cron.err;cron.!alert	
#Messages from the cron facility at an err priority or higher, but not at alert priority

mail.=err	
#Only err messages from the mail facility

*.info;mail.none;lpr.none
 #Select messages from all facilities except mail and lpr

ACTION
/path/to/file	
#Specify the full absolute path for the log file

-/path/to/file	
#The - before the path means to not sync after writing each log message (better system performance for active logs eg mail)

|/path/to/named/pipe	
#Specify a pipe symbol and a path to a named pipe file created with mkfifo (make first-in, first-out)

/dev/tty10	
#Specify a terminal or console, such as /dev/console

@10.0.0.1	
#IP address,hostname or remote host

noobot,mrsnoobot,panoobot	
#Specify a list of users whose terminals will have the message displayed if the users are currently logged into the system

*	
#Send to the terminal of everyone who is logged in

TEST using the LOGGER command

/etc/services

Legacy FILE for mapping application service names to port numbers. This is now typically done with individual config files but this file may still be useful for identifying default ports.

/etc/shadow

contains users hashed passwords which can be combined with /etc/passwd for cracking. Only accessible by root.

each entry comprises eight fields, delimited with a colon

loginID:password:lastchg:min:max:warn:inactive:expire

loginID #corresponds with loginID in /etc/passwd
password #encrypted password (none if empty). If preceded by ! account is locked. ! or * on their own indicate inaccessible (likely system) account.
lastchg #no of days from 1st Jan 1970 until last password change
min #minimum age (days) before user can change password
max #maximum age (days) before password expiry (99999 no expiry)
warn #no of days before expiry to issue password change warning
inactive # no of days after password expiry account remains active
expiry #days post 1st Jan 1970 indicating a date when password will be deleted and account rendered inactive.

/etc/skel

FOLDER that holds default directory structure/contents that will be applied to new users home directory ON CREATION (ie if this folder is amended it does not propagate to existing users)

Different template folders can be created on the system, for example /etc/skel_sales, /etc/skel_hr and /etc/skel_marketing and referenced in the -k option when creating accounts with useradd.

/etc/systemd/journald.conf

configuration file for the journald logging daemon, which creates the main log on systemd systems as binaries FILE

Storage auto/volatile/persistent/none
#log if log file exists/log to RAM/log to disk/log to console
Compress
#compress files or not
SystemMaxUse
#define storage (default 10% capped at 4GB)
SystemMaxFileSize
#define max file size before rotation

/etc/systemd/system/default.target

a symbolic link that points to the required default target (runlevel) in /lib/systemd/system on a systemd machine LINK

/etc/udev/rules.d

contains configuration files that specify how devices are handled when connected. FOLDER

/home

location of user home directories FOLDER

/lib/systemd/system

contains systemd targets (runlevels) for boot. FOLDER

default target can be set by making a symbolic link:

/etc/systemd/system/default.target

that points to the required target in /lib/systemd/system

.mount

systemd mount FILE

UNIT
Description #mount unit to be mounted
Before #filename to be mounted

MOUNT
What #absolute path to file to be mounted
Where #location to mount to
Type #filesystem type
Options #options

INSTALL
WantedBy #systemd target that this filesystem will be used by

/opt

directory containing third party software installations

/proc/dma

contains a list of hardware items that can exercise Direct Memory Access (bypassing the CPU) FILE

/proc/iomem

/proc/iomem contains a list of locations used to pass and store data similar to RAM FILE

/proc/ioports

/proc/ioports contains memory addresses used for communication with hardware devices such as keyboards FILE

/proc/meminfo

/proc/meminfo contains information about the system memory FILE

/run/log/journal

file for non-persistent and RAM-based logging FILE must be opend with journalctl command

swap

virtual memory that is NOT mounted as a directory - can be up to twice the physical memory on a system VIRTUAL

/sys

/sys contains values relevant to the operation and configuration of the kernel FOLDER

/tmp

temporary WORLD WRITEABLE directory for system and users FOLDER

/usr

operating system files, commands and system software FOLDER

/usr/local

locally installed software that should not be upgraded alongside the operating system

/usr/share/zoneinfo

FOLDER containing available timezone files

/var

directory for heavy activity functions such as mail, ftp, http FOLDER

/var/tmp is WORLD WRITEABLE

/var/log/boot.log

System boot log FILES

/var/log/cron.log

cron service (scheduled task) log files

/var/log/dmesg

contains messages generated during the boot process FILE

/var/log/httpd/error_log

Apache web server error log file FILE

/var/log/kern.log

Kernel log FILES

/var/log/journal

file for persistent logging on a systemd system must be opend using the journalctl command. FILE

/var/log/maillog

Mail server log FILE

/var/log/messages

Kernel and system-related messages - the MAIN log file FILE
See also /var/log/syslog, /var/log/rsyslog

/var/log/rsyslog

Kernel and system-related messages - the MAIN log file FILE
See also /var/log/messages, /var/log/syslog

/var/log/secure

Authentication log FILE - see also /var/log/auth.log

/var/log/syslog

Kernel and system-related messages - the MAIN log file FILE
See also /var/log/messages, /var/log/rsyslog

/var/log/ufw.log

Log FILE for the Uncomplicated Firewall

/var/spool/cron

FOLDER containing user crontab files. Should not be edited directly, rather user should use crontab command.