Linux Importan Questions & Answers

— ny_wk

Linux interview questions for system administrators cluster around a few predictable themes: user and password management, the boot process, filesystem and inode internals, process control, backups, and everyday command-line fluency. This guide organizes the most commonly asked questions into clear topic sections with accurate, corrected answers and the exact commands you will be expected to know.

Rather than dumping a list, the material below is grouped the way a real Linux sysadmin interview flows, so you can reason about why a command works, not just memorize it. Several answers floating around online forums are wrong or outdated; those errors are fixed here and noted explicitly.

User, Password, and Account Management

Account questions are almost guaranteed in any Linux interview. They test whether you understand the difference between /etc/passwd, /etc/shadow, and the tools that manage them.

How do you force a user to change their password at next login?

Set the last-change date to the epoch (day 0) so the system treats the password as expired:

1. Run chage -d 0 username.
2. Verify with chage -l username — the user is prompted to change the password on the next login.

You can also use passwd -e username to expire a password immediately.

What are the seven fields of /etc/passwd, in order?

The fields are colon-separated and must always be present (even if empty):

A common interview trap claims the order is username, UID, GID, comment, home, command — that is only six fields. The real, correct order is the seven above: the password placeholder sits in field two, between username and UID.

How do you reset a forgotten password?

As root, run passwd username (for example passwd boba). With no username, passwd changes your own password. Note that useradd -m bobm creates the account and home directory but leaves the password locked — the user cannot log in until you run passwd bobm.

How do you enable shadow passwords?

Run pwconv. It creates /etc/shadow, moves the encrypted hashes there, and replaces each password in /etc/passwd with x. The shadow file is readable only by root, which is why it improves security — the central hash store is no longer world-readable. If a user has a blank password field in /etc/passwd, conversion can fail for that entry, so populate or lock it first.

How do you prevent a user from logging in?

Lock the account so the hash can never match. The modern way is passwd -l username or usermod -L username, which prepends a ! to the hash. Setting the shell to /sbin/nologin also blocks interactive login. (Older notes say “put an asterisk in the password field” — that works because no real hash equals *, but the supported tools are passwd -l/usermod -L.)

How do you become root without logging out?

Use su - to switch to root (you will be prompted for the root password), do your work, then type exit to return to your own session. On most modern systems sudo -i is preferred because it uses your own credentials and is fully audited.

How do you find users who have not logged in for 30+ days?

Use lastlog, which reads /var/log/lastlog and shows the last login time per account. lastlog -b 30 shows users whose last login was more than 30 days ago. The last command reads /var/log/wtmp for a chronological login history.

What command reports per-user disk quotas?

repquota (for example repquota -a) prints a report of allocated versus used space and inode counts per user, for filesystems with quotas enabled.

The Linux Boot Process

Boot questions separate candidates who memorized commands from those who understand the system. A strong answer to these Linux interview questions walks the boot chain in order.

What is the GRUB “stage 1.5”?

This applies to legacy GRUB (GRUB Legacy / 0.9x). The 446-byte boot code in the MBR (stage 1) is too small to understand filesystems, so it loads an intermediate stage 1.5 that contains filesystem drivers — for example e2fs_stage1_5 for ext2/ext3 or reiserfs_stage1_5 for ReiserFS. Stage 1.5 then loads stage 2, the full bootloader that reads /boot/grub/menu.lst and the kernel image directly from the filesystem. So the chain is: Stage 1 (MBR) → Stage 1.5 (filesystem driver) → Stage 2 (full GRUB).

Modern note: almost every current distribution uses GRUB 2, which has no separate “stage 1.5” concept — it embeds the needed modules in the gap after the MBR (or in a BIOS Boot Partition on GPT disks) and on UEFI systems loads an EFI application (grubx64.efi) from the EFI System Partition. Mention GRUB 2 in the interview to show you are current; describe stage 1.5 only when asked about GRUB Legacy.

What is LILO?

LILO (LInux LOader) is the original Linux bootloader. Unlike GRUB it has no filesystem awareness — it stores raw disk block addresses of the kernel in its map file, so you must rerun lilo every time the kernel moves. It is obsolete; GRUB 2 replaced it everywhere.

What is the most graceful way to reach single-user mode?

On a running SysV-init system, init s (or telinit 1) switches to single-user mode without a full reboot. On modern systemd distributions the equivalent is systemctl rescue (rescue/single-user target) or systemctl emergency for a more minimal environment. (The old advice to “init 0 then boot -s” mixes a full shutdown with a SPARC OpenBoot command and is not how you do this on x86 Linux.)

How do you review boot messages?

Run dmesg to read the kernel ring buffer (hardware detection, driver messages). On systemd systems, journalctl -b shows the full log for the current boot.

What is the minimum number of partitions to install Linux?

Two: a root (/) partition and a swap partition. In practice many setups add /boot and, on UEFI, an EFI System Partition, but the bare minimum is root plus swap.

Filesystem, Inodes, and Storage

This section is where deep Linux knowledge shows. Expect questions on inodes, links, mounting, and recovering from “disk full” errors.

“No space left on device” but df shows free space — what is wrong?

You have likely run out of inodes, not blocks. Each file consumes one inode; a filesystem full of tiny files can exhaust the inode table while plenty of byte capacity remains.

1. Confirm with df -i — look for a mount at 100% in the IUse% column.
2. Find the offending directory: for d in /*; do echo "$(find "$d" -xdev 2>/dev/null | wc -l) $d"; done | sort -n.
3. Delete or relocate the many small files (often stale session files, mail spool, or cache).
4. Re-check with df -i to verify inodes are freed.

An ext filesystem fixes its inode count at creation time, so the long-term fix may be to recreate it with mkfs.ext4 -N or a smaller -i bytes-per-inode ratio.

What is an inode?

An inode is the on-disk data structure that describes a file — everything except its name. It stores the owner UID/GID, permission bits, file type, size, timestamps (access, modify, change), link count, and pointers to the data blocks. The filename lives in the directory entry, which maps a name to an inode number. A classic ext2/ext3 inode holds 15 block pointers: 12 direct, one single-indirect, one double-indirect, and one triple-indirect, which lets small files be read in a single seek while still supporting very large files. (Older notes saying “13 addresses, first 10 direct” describe a simplified textbook UNIX inode, not Linux ext.)

What is the difference between a hard link and a symbolic link?

• A hard link is a second directory entry pointing at the same inode. Both names are equal; the data is freed only when the link count reaches zero. Hard links cannot cross filesystems and cannot point to directories.
• A symbolic (soft) link is a small separate file whose contents are the path to another file. It can cross filesystems and point to directories, but breaks if the target is removed. ls -l shows it as lrwxrwxrwx.

Create them with ln target linkname (hard) or ln -s target linkname (symbolic). To link to a directory you must use a symbolic link: ln -s /data /home/bob/datalink. (The old claim that ln needs an -F flag for directories is wrong — the correct flag is -s.)

How do you mount and unmount filesystems?

The mount system call attaches a filesystem onto a directory (the mount point); umount detaches it. To inspect a CD-ROM or ISO read-only: mount -o ro /dev/sr0 /mnt/cdrom, then umount /mnt/cdrom when done. To run a filesystem check (fsck) on root, root must be mounted read-only — you cannot safely fsck a read-write mounted filesystem.

How are devices represented in UNIX/Linux?

As special files under /dev. A block special file (e.g. a disk) transfers data in fixed-size blocks; a character special file (e.g. a keyboard or serial port) transfers a stream of bytes. A regular file is ordinary data on disk. This uniform “everything is a file” model lets you read and write devices with the same calls you use for files.

What is a FIFO (named pipe)?

A FIFO is a special file used for inter-process communication. One process writes (producer), another reads (consumer), in first-in-first-out order. Create one with mkfifo mypipe (or the mknod system call). Data flows through the kernel buffer and is consumed as it is read.

Permissions and File Operations

How do file permissions and chmod work?

Each file has three permission triplets — user, group, others — each combining read (4), write (2), and execute (1). Add the values: rw- = 6, rwx = 7, r-- = 4.

• chmod 664 myfile → rw-rw-r-- (user/group read-write, others read-only).
• chmod 744 myfile → rwxr--r--.
• Symbolic form works too: chmod u+x,g-w myfile.

In ls -l output, the first character indicates the file type: - regular, d directory, l symlink, b block device, c character device, p FIFO, s socket.

What is the result of mv /home/ben/memos /home/bob when /home/bob already has a memos directory?

If /home/bob/memos already exists, the source is moved inside it, becoming /home/bob/memos/memos. If it does not exist, memos is simply renamed into /home/bob/memos. Knowing this nesting behavior is a frequent interview check.

Which commands delete a directory?

Use rmdir (empty directories only) or rm -rf (recursive, force — deletes the directory and everything in it). Plain rm without -r deletes files, not directories.

Processes, Signals, and the fork() Model

Process internals are favorite Linux interview questions for experienced candidates because they reveal whether you understand the kernel, not just commands.

What does fork() do, and what does it return?

fork() creates a new child process that is a near-duplicate of the parent. It returns twice: the child’s PID is returned to the parent, and 0 is returned to the child. On failure it returns -1. The child resumes from the point of the fork() call, so code after fork() runs in both processes.

How many times does this print “Hello”?

For a single fork() followed by a printf, the message prints twice (once per process). For three sequential fork() calls, the process count doubles each time, so the final printf runs in 2³ = 8 processes — the message prints 8 times. The rule: n forks → 2ⁿ processes reach the line after the last fork.

What is a zombie process?

A zombie is a child that has terminated but whose exit status has not yet been collected by the parent via wait(). The kernel keeps a minimal entry so the parent can read the exit code; in ps the process shows state Z (defunct). Zombies use no memory or CPU, but they consume a PID slot. They are cleared when the parent calls wait(); if the parent dies first, init/systemd adopts the orphan and reaps it.

What are the main process states?

• Running / Runnable (R): executing or ready to run.
• Sleeping (S/D): waiting for an event or resource (D is uninterruptible, usually I/O).
• Stopped (T): suspended, typically by a signal such as SIGSTOP.
• Zombie (Z): finished but not yet reaped.

Which IDs are associated with a process?

The PID (getpid()), the parent PID (getppid()), the real user ID (getuid()), and the effective user ID (geteuid()) that governs access checks. Key process-management calls include fork(), exec(), wait(), exit(), and nice().

How do you change a running process's priority?

Start a job at lower priority with nice -n 10 command, or change an already-running process with renice -n 5 -p PID. The top utility can also renice interactively and shows a live, auto-updating list of processes. Higher nice values mean lower priority (more “nice” to others).

Backups, Archiving, and Logs

How do you create, list, and extract tar archives?

• Create + compress: tar czf backup.tar.gz /home (the z flag gzips the archive as it is built).
• List contents: tar tf MyBackup.tar (add v for the full stored structure: tar tvf MyBackup.tar).
• Extract one file: tar xf MyBackup.tar memo.ben.

If you do not know how a tarball’s directories are laid out before restoring, tar tvf tarfile lists them verbosely.

How do you back up with cpio?

Pipe a file list into cpio in copy-out mode: find /home | cpio -o > backup.cpio. find generates the list of files and directories; cpio -o writes them to the archive.

How do you read a compressed log without decompressing it?

Use zcat oldlog.gz (or zless for paging, zgrep to search). These behave like cat/less/grep but decompress on the fly, leaving the file on disk untouched.

What rotates logs, and where is the main system log?

logrotate (driven by /etc/logrotate.conf and /etc/logrotate.d/) compresses and cycles logs on a schedule. The traditional main log is /var/log/messages (or /var/log/syslog on Debian/Ubuntu); the daemon that writes it is syslogd/rsyslogd. On systemd hosts the journal (journalctl) is the primary log store.

Why put /var on its own partition, and what do you do when it fills?

Isolating /var (or /var/spool, /tmp, /home) keeps a runaway log or mail spool from filling the root filesystem and crashing the system. If /var fills, first rotate or truncate logs and clear caches. Resizing is the modern fix: with LVM use lvextend + resize2fs to grow it online — you no longer need to delete and recreate the partition as you did on raw, unmanaged disks.

Everyday Command-Line Fluency

Quick-fire command questions round out most Linux interview sessions. Know these cold:

• Find files accessed in the last 30 days: find / -type f -atime -30 (-atime -30 = accessed fewer than 30 days ago).
• Show the last 15 lines of several files: tail -n 15 dog cat horse.
• Locate which binary runs: which command (or type command to detect aliases/builtins) when duplicates on $PATH cause surprises.
• One-line summary of a command: whatis command (from the man page).
• Live process monitor: top (or htop).
• Identify your shell: echo $SHELL.
• Split a 4,000-line file into 1,000-line pieces: split -l 1000 phonenos.
• List hidden files recursively: ls -aR /home/username.
• Run commands sequentially on one line: separate with ; (or && to stop on the first failure).
• Suspend a job to the background: press Ctrl+Z, then bg to resume it in the background.
• Server architecture (32- vs 64-bit): arch or uname -m (x86_64 = 64-bit).

What does “cat dog &> cat” display?

Nothing. The &> operator redirects both standard output and standard error into the file named cat, so all output is captured to the file and none reaches the terminal.

Explain: (date; ps -ef | awk '{print $1}' | sort | uniq | wc -l) >> Activity.log

This logs the timestamp and the number of distinct users with running processes. date prints the current time; ps -ef lists all processes with the owner in column 1; awk '{print $1}' extracts that owner column; sort orders it so uniq can collapse duplicates (uniq only deduplicates adjacent lines); wc -l counts the unique owners. The grouping parentheses append both the date and the count to Activity.log, creating the file if absent. Tip: sort -u can replace sort | uniq.

Which install-time servers assign IPs and serve files?

A DHCP server hands out IP addresses to machines during a network install. An NFS server commonly serves the distribution installation tree to the target machine. Don’t confuse these with SMB/Samba (cross-OS file and print sharing), FTP, or HTTP.

What is a shell, and how do you switch line-editing modes?

A shell is the interactive interface that parses your commands and turns them into system calls or forks processes to run programs — common shells are bash, zsh, sh, ksh, and csh. To use vi-style command-line editing for the session, run set -o vi (reverts on next login unless added to your shell rc file).

Key Takeaways

• Know the data structures, not just commands: inodes, the seven /etc/passwd fields, and the fork() return values are the questions that separate junior from senior candidates.
• “Disk full” with free space almost always means inodes — reach for df -i first.
• Cite the modern equivalent: mention GRUB 2, systemd targets, journalctl, and LVM resizing to show you are current, while still explaining the legacy concept asked about.
• Hard vs symbolic links hinge on the inode: hard links share an inode and stay local; symlinks store a path and can cross filesystems or target directories.
• Several widely-copied answers are wrong — ln -s (not -F) links directories, and the passwd field count is seven, not six. Verify before you memorize.

Frequently Asked Questions

What are the most important Linux commands for an interview?

Master file and process tools (ls, find, grep, tar, chmod, ps, top, kill, df, du), user management (useradd, passwd, chage, usermod), and log/boot tools (dmesg, journalctl, systemctl). Being able to explain pipelines like ps -ef | awk | sort | uniq | wc -l matters as much as knowing each command alone.

How do I explain the Linux boot process in an interview?

Walk it in order: firmware (BIOS/UEFI) → bootloader (GRUB 2) → kernel load and initramfs → init/systemd (PID 1) → target/runlevel services → login. Reference legacy GRUB stage 1/1.5/2 only if the interviewer specifically asks about it, and contrast it with GRUB 2.

What is the difference between a process and a thread in Linux?

A process has its own address space and resources; threads are execution contexts that share their parent process’s address space. In Linux both are created via clone() under the hood, but a process (via fork()) gets a private copy of memory, while threads share it — making threads lighter to create but requiring synchronization.

How do I prepare for a Linux system administration certification?

Practice hands-on in a virtual machine: build users and groups, manage permissions and ACLs, configure storage with LVM, write systemd units, and read logs with journalctl. Certifications like the LFCS and RHCSA are performance-based, so doing the tasks repeatedly beats reading alone.

For more Linux and system administration walkthroughs, subscribe on YouTube @explorenystream.