Linux or Unix important questions and answers for interview

— ny_wk

This guide collects the Linux system admin interview questions that hiring managers actually ask, with corrected, accurate, and modern answers you can use to prepare. It covers troubleshooting, filesystems, networking, the boot process, permissions, and the everyday command-line skills that separate a confident administrator from someone who only memorized commands.

The classic Q&A lists that float around the web are full of small errors, outdated tools, and half-finished answers. Below, each Linux interview question is rewritten so the explanation is correct on a modern distribution (RHEL/CentOS Stream, Rocky, AlmaLinux, Ubuntu) while still noting the legacy commands you may be asked about. Read it as a study sheet, not a memory dump.

Troubleshooting and Performance Questions

A user says "my machine is slow." What are your steps?

Do not jump to conclusions. Slowness is almost always CPU, memory, disk I/O, or network. Work methodically:

Run top or the friendlier htop to see CPU and memory pressure and which process dominates.
Check the load average with uptime. A load consistently higher than the CPU core count means contention.
Inspect memory and swap with free -h. Heavy swapping (high si/so in vmstat 1) is a classic cause of sluggishness.
Check disk I/O with iostat -xz 1 (from the sysstat package). High %util or await points at a slow or saturated disk.
Look at recent logs: journalctl -p err -b on systemd systems, or /var/log/messages.

Correction to the old answer: simply enlarging the swap partition does not make a system faster. Swap is slower than RAM, so more swapping usually means worse performance. If the box swaps constantly, the real fix is to add RAM or reduce the workload. The advice to "run in single-user mode" applies only when you are diagnosing or repairing, never as a production performance fix.

What is the command to find the file or process using the most memory?

You run `ls` and get "command not found." What do you do?

This is a PATH problem nine times out of ten. The shell could not find the executable in any directory listed in $PATH.

Print the current PATH: echo $PATH. It should include /bin, /usr/bin, /sbin, and /usr/sbin.
If those are missing, call the binary by absolute path to keep working: /bin/ls.
Restore a sane PATH for the session: export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin.
Fix it permanently in ~/.bashrc or /etc/profile.

Reinstalling the shell is almost never the answer for a single missing command. On modern systems /bin and /sbin are symlinks into /usr, so a broken PATH that drops /usr/bin hides nearly everything.

System Calls, Trust, and Core Concepts

What is a system call?

A system call is the controlled mechanism a user-space program uses to request a service from the kernel, such as reading a file or creating a process. Common POSIX system calls include open, read, write, close, fork, execve, wait, exit, and kill. You can watch the system calls a process makes with strace -p <pid> on Linux (Solaris used truss). Modern Linux has roughly 400 system calls on x86_64; the exact count changes between kernel versions, so quoting a single fixed number in an interview is a trap.

Why is Linux/Unix often called more "trusted" than legacy Windows?

The honest, defensible answer focuses on design, not brand loyalty:

Granular permissions: every file has owner/group/other read-write-execute bits, extended further by ACLs and SELinux/AppArmor mandatory access control.
Plain-text configuration: services are configured in readable files under /etc, so changes are auditable and version-controllable, with no opaque binary registry.
Open source: the kernel and most tooling are GPL/permissively licensed, so the code can be audited, patched, and redistributed.
No implicit execution: a downloaded file is not executable until you grant the execute bit, which limits casual malware.

Be fair in an interview: modern Windows enforces strong passwords, UAC, and code signing too. Frame it as architectural strengths of Unix rather than blanket claims that one is "safe" and the other is not.

File and Directory Management Questions

How do you rename a file in Linux?

There is no dedicated rename-one-file verb in the way new users expect; you use mv:

Rename in place: mv oldname newname
Move and rename: mv /path/old /other/path/new

For bulk renaming there is a rename command (the Perl rename or util-linux rename, depending on distro), e.g. rename 's/\.txt$/\.bak/' *.txt. Renaming the host's network name is a different task entirely (covered below), so do not confuse "rename a file" with "rename the machine."

How do you change the hostname permanently?

On any systemd distribution the one correct command is hostnamectl set-hostname newname. The old RHEL method of editing HOSTNAME= in /etc/sysconfig/network is obsolete. Also confirm the name resolves locally by checking /etc/hosts.

What is the advantage of links over copies?

The point of a hard link or symbolic link is a single shared inode (hard link) or a single target (symlink), so one change is reflected everywhere instead of being duplicated across copies. A symlink shows permissions like lrwxrwxrwx, but those belong to the link itself; access is governed by the target file. This also saves disk space, but the real benefit is consistency: patch the original, and every reference sees the update.

What command writes to a file and the terminal at the same time?

That is tee. For example, ls -l | tee listing.txt prints to the screen and saves to the file. Add -a to append. The earlier list confused this with tail: tail shows the end of a file (tail -n 100, or tail -f to follow a growing log), it does not split output.

What does `(cd /tmp; pwd)` print, and why?

It prints /tmp. The parentheses run the commands in a subshell, so cd changes directory only inside that subshell and pwd reports it. Crucially, your current shell's directory is unchanged afterward, because the subshell exits. That side-effect isolation is exactly why subshells are useful in scripts.

Filesystem Interview Questions

What is the difference between ext2, ext3, and ext4?

Feature	ext2	ext3	ext4
Journaling	No	Yes	Yes
Crash recovery	`fsck` scan, slow	Replay journal, fast	Replay journal, fast
Max file size	up to 2 TiB	up to 2 TiB	up to 16 TiB
Max volume size	up to 32 TiB	up to 32 TiB	up to 1 EiB
Extents / delayed alloc	No	No	Yes

The shorthand ext3 = ext2 + journaling is correct: a journal records metadata changes before committing them, so after an unclean shutdown the system replays the journal instead of scanning the whole disk. Recovery time depends on journal size, not volume size. Mention ext4 and XFS as the defaults on current systems; ext2 is effectively legacy.

How do you convert ext2 to ext3 and back?

Add a journal (ext2 to ext3): tune2fs -j /dev/sdXn
Remove the journal (ext3 to ext2): tune2fs -O ^has_journal /dev/sdXn (unmount first)

The correct feature name is has_journal with an underscore, and the ^ means "clear this feature."

What is an inode? What is a superblock?

An inode is the on-disk data structure that stores a file's metadata: ownership, permissions, timestamps, size, and pointers to its data blocks. The filename is not stored in the inode; the directory entry maps a name to an inode number. A file is uniquely identified by its filesystem plus its inode number. A superblock is the master record describing the whole filesystem: total size, block size, free and used block/inode counts, and the location of key structures. Backup superblocks exist so the filesystem can be repaired if the primary is damaged.

What if the filesystem runs out of inodes?

You can have free disk space but still get "No space left on device" if inodes are exhausted, common when a directory holds millions of tiny files. Check with df -i. The fix is to delete unneeded small files, or recreate the filesystem with more inodes (mkfs.ext4 -N or a smaller -i bytes-per-inode value). XFS allocates inodes dynamically and rarely hits this limit.

Swap and Memory Questions

How do you create swap when there is no free partition?

Use a swap file:

Create the file (1 GiB example): dd if=/dev/zero of=/swapfile bs=1M count=1024
Secure it: chmod 600 /swapfile
Format it as swap: mkswap /swapfile
Enable it: swapon /swapfile
Make it persistent in /etc/fstab: /swapfile none swap defaults 0 0

Correction: the old snippet skipped mkswap and called swapon on an unformatted file, which fails. The mkswap step is mandatory. Use fallocate -l 1G /swapfile as a faster alternative to dd on most filesystems.

How do you view swap and RAM details?

Use free -h for a quick summary, swapon --show or cat /proc/swaps for swap devices, and cat /proc/meminfo for detailed memory statistics. The old answer's /proc/swap is wrong; the correct path is /proc/swaps.

Networking and Firewall Questions

How do you configure a Linux box as a router?

Enable forwarding now: sysctl -w net.ipv4.ip_forward=1
Make it permanent: set net.ipv4.ip_forward = 1 in /etc/sysctl.conf (or a file in /etc/sysctl.d/), then sysctl -p.
Have two interfaces on different networks and add the appropriate NAT/forwarding firewall rules.

Writing to /proc/sys/net/ipv4/ip_forward directly works but is lost on reboot, because /proc lives in memory. The persistent change must go in sysctl configuration.

What is the difference between ipchains, iptables, and nftables?

ipchains was the 2.2-era firewall and is long obsolete. iptables replaced it on top of the netfilter framework with tables (filter, nat, mangle) and chains. On current distributions, nftables (the nft command) has replaced iptables as the back end, and most admins use the higher-level firewalld on RHEL-family systems or ufw on Ubuntu. Know iptables syntax for legacy work, but mention nftables as the modern standard.

Write a rule to accept inbound HTTP from one host.

To accept TCP port 80 to 192.168.0.2 from 172.16.0.1 with iptables:

iptables -A INPUT -s 172.16.0.1 -d 192.168.0.2 -p tcp --dport 80 -j ACCEPT

The firewalld equivalent uses a rich rule; the nftables equivalent adds the match to an inet filter chain. Note that 172.168.0.1 in the original is not a valid private address; the private range is 172.16.0.0/12.

Name a common service that uses UDP only.

DHCP (ports 67/68) and NTP (port 123) are UDP-based. DNS is the classic gotcha: it uses UDP for most queries but falls back to TCP for large responses and zone transfers, so it is not UDP-only. List the services and protocols with grep udp /etc/services or inspect live sockets with ss -lun.

How do you find a remote machine's OS and open ports?

Use Nmap: nmap -A -v <host> performs OS detection, version scanning, and traceroute. For local listening sockets, prefer the modern ss -tulnp over the deprecated netstat -tulnp.

NFS, Mounts, and Storage

What is the difference between hard and soft NFS mounts?

This is about how the client behaves when the NFS server is unreachable:

Hard mount: the client retries indefinitely; I/O blocks until the server returns. Safer for data integrity, which is why it is the default. Combine with intr historically, though modern kernels handle interruption differently.
Soft mount: the client gives up after a timeout and returns an I/O error. This avoids hangs but risks data corruption on writes, so use it cautiously.

Correction: hard vs. soft is the hard/soft mount option, not the difference between /etc/fstab and autofs. An /etc/fstab entry is a static mount; /etc/auto.master with autofs is an on-demand automount. Those are separate concepts that the old list ran together.

How do you make an NFS mount permanent?

Add an entry to /etc/fstab and test it without rebooting using mount -a. A typical line:

192.168.0.1:/var/ftp/pub /mnt/pub nfs defaults,_netdev 0 0

The _netdev option tells systemd to wait for the network before mounting, which prevents boot hangs.

What is the default extent size in LVM, and the partition type codes?

The default physical extent (PE) size in LVM2 is 4 MiB. For MBR partition type codes (set in fdisk): swap is 82, Linux RAID autodetect is fd, and LVM is 8e. On GPT disks you instead use GUID type codes via gdisk or parted.

Boot Process, Services, and Permissions

What are the Linux boot files, and what is LILO/GRUB?

The key boot components are the bootloader configuration (/boot/grub2/grub.cfg on GRUB 2), the compressed kernel (vmlinuz), and the initial RAM disk (initramfs, historically initrd.img). LILO (Linux Loader) was the original bootloader; it has been fully replaced by GRUB 2, which supports a menu, scripting, and UEFI booting. Mention systemd-boot as a lightweight UEFI alternative.

Compare SysV init services with xinetd-managed services.

SysV daemons	xinetd (super-server) services
Run continuously in the background	Started on demand when a connection arrives
Managed with `service` / init scripts in `/etc/rc.d`	Wrapped by the `xinetd` daemon, configs in `/etc/xinetd.d`
Always consuming a little memory	No idle footprint, slight per-connection startup cost

On current systems both have largely given way to systemd, which manages services as units (systemctl start/enable name) and provides socket activation that replaces xinetd's on-demand model.

What is the UID and GID of root? Who can change file ownership?

Root has UID 0 and GID 0, which is why the kernel grants it the right to bypass normal permission checks. Only root (or a process with the appropriate capability) can change a file's owner with chown user:group file; a normal user cannot give away or take ownership of files. A regular user can change the group of their own files to a group they belong to with chgrp.

Common Command Questions (sed, tar, logs)

What is sed, and how do you substitute text?

sed is the stream editor for transforming text in a pipeline or file. Key patterns:

Substitute first match per line: sed 's/old/new/'
Substitute every match (global): sed 's/old/new/g'
Replace only the third match: sed 's/old/new/3'
Reuse the matched text with &: echo 'hello' | sed 's/hello/& world/' prints hello world
Capture groups with $...$ referenced as \1, \2 (or (...) with -E)
Trim trailing whitespace: sed 's/[ \t]*$//'
Print only the first line: sed -n '1p' or stop early with sed 10q
Run a script file: sed -f script.sed input.txt

Always edit safely with sed -i.bak 's/old/new/g' file so you keep a backup.

What does the tar command do?

tar archives many files into one and extracts them. Modern usage adds compression flags:

Create a gzip archive: tar -czvf backup.tar.gz /etc
List contents: tar -tzvf backup.tar.gz
Extract: tar -xzvf backup.tar.gz -C /restore/path

Plain tar -cvf file.tar dir archives without compressing. Note that tar of /etc/passwd does not encrypt anything; it just bundles files.

How do you find failed SSH logins and login history?

On RHEL-family systems read /var/log/secure; on Debian/Ubuntu read /var/log/auth.log. Useful commands:

Failed attempts: grep "Failed password" /var/log/secure
Bad logins by user/host: lastb
Successful login history: last
On systemd: journalctl -u sshd | grep -i failed

How do you background and foreground a job?

Press Ctrl+Z to suspend the running foreground job, then type bg to resume it in the background. Bring it back with fg. List jobs with jobs, and detach a long task entirely with nohup command & or a terminal multiplexer like tmux.

How do you check when a file was created or last changed?

Use stat filename for full timestamps (access, modify, change). Note that most Linux filesystems do not store a true "creation" time historically, though ext4 and XFS now record a birth time you can see with stat on recent kernels. For a quick listing sorted by time use ls -ltr.

Security and Monitoring Questions

What Linux security tools should you know?

ClamAV — open-source antivirus, often used for mail-gateway scanning.
rkhunter and chkrootkit — scan for rootkits, backdoors, and local exploits.
fail2ban — bans IPs after repeated failed logins (essential for SSH).
SELinux / AppArmor — mandatory access control that confines services.
auditd and Lynis — auditing and hardening assessments.

What do Apache 403 and 404 status codes mean?

403 Forbidden means the server understood the request but refuses access, often due to filesystem permissions, a missing Require directive, or an SELinux context mismatch (fix with restorecon). 404 Not Found means the requested resource does not exist at that path, a missing file or a broken URL. The original answer's specifics were imprecise; these are the accurate definitions.

How do you monitor ports continuously and find top space users?

For sockets use ss -tulnp (the modern replacement for netstat -anp); for the top space-consuming home directories use du -sh /home/* | sort -rh | head -10. Note that sort -h handles human-readable sizes correctly, which the old sort -nr on raw bytes also does when you drop -h from du.

Key Takeaways

Answer troubleshooting questions with a method (CPU, memory, I/O, network) and the right tools (top, free -h, iostat, journalctl), not a single canned command.
Know the corrected fundamentals: ext3 = ext2 + journaling, inodes hold metadata not filenames, and the superblock describes the whole filesystem.
Creating a swap file requires mkswap before swapon; persistent changes go in /etc/fstab and /etc/sysctl.conf, never just /proc.
Cite legacy tools when asked, but pair them with modern equivalents: nftables/firewalld over ipchains, ss over netstat, systemctl over SysV init, GRUB 2 over LILO.
Root is UID/GID 0, hard vs. soft NFS mounts is the hard/soft option (not fstab vs. autofs), and tee writes to a file and the terminal simultaneously.

Frequently Asked Questions

What are the most common Linux system admin interview questions?

Expect questions on troubleshooting a slow server, the boot process (GRUB, kernel, initramfs, systemd), filesystem differences (ext4 vs. XFS, inodes, journaling), permissions and ownership, networking and firewalls, NFS mounts, and everyday commands like sed, tar, ss, and log analysis. Interviewers care about your reasoning as much as the exact syntax.

Is iptables still asked in Linux interviews?

Yes, because many production systems still run it, but you should also explain that nftables is the modern netfilter back end and that firewalld (RHEL) and ufw (Ubuntu) are the common front ends. Showing both legacy and current knowledge is what gets you hired.

What is the difference between ext3 and ext4?

Both are journaling filesystems, but ext4 adds extents, delayed allocation, much larger file and volume limits (up to 16 TiB files and 1 EiB volumes), and faster fsck. ext4 is backward-compatible with ext3 and is the safer default for general workloads, while XFS is often preferred for very large or high-throughput storage.

How do you check why a Linux server is running slow?

Start with uptime for load average, top/htop for CPU and memory, free -h and vmstat 1 for memory/swap pressure, iostat -xz 1 for disk I/O, and journalctl -p err -b for recent errors. Identify which resource is the bottleneck before making any change.

For more hands-on Linux and system administration walkthroughs, subscribe on YouTube at @explorenystream.