The Linux an interviewer probes: files & permissions, processes & signals, what's eating
resources, networking, and enough text-tool fluency to slice a log. Everything is a file; the
shell is the API; /proc is the truth.
1. Filesystem layout (FHS)
| Path | What |
|---|
/etc | System config |
/var | Variable data — /var/log, /var/lib, spool |
/usr | User binaries + libs (/usr/bin, /usr/local) |
/home | User home dirs |
/proc, /sys | Kernel/process virtual filesystems (live state) |
/dev | Device files |
/tmp | Temp (world-writable, sticky bit) |
2. Files & navigation
ls -lah ; cd - ; pwd ; tree -L 2
find /var/log -name "*.log" -mtime -1 -size +10M # recent, large
find . -type f -exec grep -l TODO {} +
cat / less / head -n50 / tail -f / tac / nl
cp -a src dst ; mv a b ; rm -rf dir ; mkdir -p a/b/c
ln -s /target link # symlink ; ln target hard # hard link
stat file ; file binary ; realpath link
df -h ; du -sh * | sort -rh | head ; ncdu
3. Permissions & ownership
chmod 644 file # rw-r--r-- (u=rw g=r o=r) r=4 w=2 x=1
chmod +x script.sh ; chmod -R 750 dir ; chmod u+s,g+s,o+t
chown user:group file ; chown -R app: /srv/app ; chgrp grp file
umask 022 # default mask -> files 644, dirs 755
getfacl/setfacl file # fine-grained ACLs
lsattr/chattr +i file # immutable bit
| Special bit | Octal | Effect |
|---|
| setuid | 4xxx | Run as file owner (e.g. passwd) |
| setgid | 2xxx | Run as group / new files inherit dir's group |
| sticky | 1xxx | Only owner can delete (/tmp = 1777) |
x on a directory ≠ x on a file
To enter a directory you need x on it; to list it you need
r. Reading a file needs r on the file and x
on every parent directory in the path.
4. Processes & signals
ps aux | grep nginx ; ps -ef --forest ; pgrep -a nginx
top ; htop ; pidstat 1 ; pstree -p
kill -TERM # 15 graceful (default) ; kill -9 (SIGKILL last resort)
kill -HUP # reload config (many daemons)
pkill -f pattern ; killall name
nohup cmd & ; disown ; jobs ; bg ; fg %1
nice -n 10 cmd ; renice -n 5 -p # priority
cat /proc//status ; ls /proc//fd | wc -l # fd count
| Signal | Meaning |
|---|
| SIGTERM (15) | Polite stop (default). Catchable — graceful shutdown. |
| SIGKILL (9) | Force kill. Uncatchable. Last resort. |
| SIGHUP (1) | Hangup — often "reload config". |
| SIGINT (2) | Ctrl-C. |
| SIGSTOP/SIGCONT | Pause / resume. |
5. systemd & logs
systemctl status/start/stop/restart/enable/disable nginx
systemctl daemon-reload # after editing a unit
systemctl --failed # what failed
systemctl list-units --type=service ; systemctl cat nginx
journalctl -u nginx -f # follow a service
journalctl -u nginx --since "1 hour ago" -p err
journalctl -b -1 # previous boot (after crash)
journalctl --vacuum-time=7d # shrink journal
systemd-analyze blame # slow boot units
6. Text processing — slice a log
grep -i error app.log ; grep -rn TODO src/ ; grep -c 500 access.log
grep -v healthcheck access.log | grep -E '5[0-9]{2}'
awk '{print $1}' access.log | sort | uniq -c | sort -rn | head # top IPs
awk -F: '$3 >= 1000 {print $1}' /etc/passwd # human users
sed -n '100,120p' file ; sed -i.bak 's/old/new/g' file
cut -d: -f1,7 /etc/passwd ; tr -s ' ' ; column -t ; jq '.items[]'
sort | uniq -c | sort -rn ; wc -l ; xargs ; tee
cmd1 | cmd2 ; cmd > out 2>&1 ; cmd 2>/dev/null ; cmd <<< "input"
7. What's eating resources?
top / htop # CPU/mem live (press M=mem, P=cpu)
uptime # load avg vs core count (nproc)
free -m # use 'available', not 'free'
vmstat 1 # r=run queue, si/so=swap, wa=iowait
mpstat -P ALL 1 ; pidstat -t 1
df -h ; df -i # disk space ; INODES (df -h lies if inodes full)
iostat -xz 1 ; iotop -o # disk I/O ; lsof +L1 (deleted-but-open)
ss -ltnp ; ss -s # listening ports + pid ; socket summary
dmesg -T | tail # OOM kills, hardware, fs errors
strace -p ; ltrace # syscalls / library calls (what's it stuck on)
8. Networking
ip a ; ip route ; ip -s link # interfaces, routes, stats
ss -tunap # all sockets + pid (replaces netstat)
ping host ; traceroute host ; mtr host
dig name ; dig +short name ; nslookup ; getent hosts name
curl -v https://host ; curl -I url ; wget -qO- url
nc -vz host port # port open? refused vs timeout
tcpdump -ni any port 443 # capture (last resort)
ufw status ; iptables -L -n ; nft list ruleset
9. Disk & storage
lsblk ; blkid ; mount | column -t ; cat /etc/fstab
df -h ; df -i ; du -xh / | sort -rh | head
mkfs.ext4 /dev/sdb1 ; mount /dev/sdb1 /mnt ; umount /mnt
# LVM: pvs / vgs / lvs ; lvextend -r -L +10G /dev/vg/lv
"disk full" but df shows space
You're out of inodes (df -i) or a deleted-but-open file holds the blocks
(lsof +L1). Free space ≠ free inodes ≠ released handles.
10. Packages, users, cron
# Debian/Ubuntu # RHEL/Fedora
apt update && apt install pkg ; dnf install pkg
apt list --installed ; dpkg -l ; rpm -qa ; rpm -qf /path
useradd -m -s /bin/bash user ; passwd user ; usermod -aG sudo user
id ; whoami ; groups ; sudo -l ; su - user
crontab -e ; crontab -l # "* * * * * cmd" (min hr dom mon dow)
systemctl list-timers # systemd timers (cron alternative)
11. Where the logs live
| Path / cmd | What |
|---|
journalctl | systemd unit + kernel logs (primary on modern distros) |
/var/log/syslog / messages | general system log |
/var/log/auth.log / secure | logins, sudo, sshd |
dmesg | kernel ring buffer (OOM, disk, hardware) |
/var/log/cloud-init.log | cloud VM first-boot provisioning |
12. Rapid-fire interview Q&A
- What does chmod 755 mean?Owner rwx, group r-x, other r-x. Octal r=4 w=2 x=1.
- SIGTERM vs SIGKILL?TERM = graceful, catchable (cleanup). KILL(9) = forced, uncatchable. Try TERM first.
- free shows little 'free' memory — problem?No. Linux uses free RAM as cache. Look at 'available', not 'free'.
- How to find what's using a port?
ss -ltnp or lsof -i :PORT.
- Hard vs soft link?Hard = another name for the same inode (same fs). Soft/symlink = a pointer to a path (can cross fs, can dangle).
- How to see a service's logs?
journalctl -u svc -f; kernel via dmesg.
- stdout vs stderr redirect?
> stdout, 2> stderr, 2>&1 merge stderr into stdout, &> both.
- load average of 4 on a 4-core box?Fully utilized (1 per core). Above core count = tasks waiting = saturation.
- What's in /proc?A virtual fs exposing kernel + per-process state (
/proc/<pid>/fd, /proc/meminfo). Live truth, not files on disk.
- disk full but df shows space?Out of inodes (
df -i) or a deleted-but-open file (lsof +L1).
- setuid bit?Run the binary as its owner regardless of caller — how
passwd edits root-owned files.
- How to run a job on a schedule?cron (
crontab -e) or a systemd timer.