/etc: Explanation & Insights

/etc is the directory where a Unix or Linux system keeps its system-wide configuration, stored as plain, human-readable text files that any editor can change.

What It Is

/etc is where a Linux system keeps its mind. Almost every decision the machine makes about itself — who is allowed to log in, which disks to mount at boot, what its own name is, where to look up other names on the network, what runs while you sleep — is written down in a file under /etc. Open one and it reads back to you. There is no hidden database, no console you have to launch, no format you need a special program to decode. It is text, one file per concern, and the concerns are laid out in the open.

That is the whole idea, and it is worth slowing down on, because it is a genuine design decision and not an accident: configuration on a Unix system is writing, not state. The system doesn't remember how it's set up in some opaque internal way and let you nudge it through a control panel. It reads its setup, fresh, out of these files, every time it needs to know. Change the file and you have changed what the machine believes. Nothing else to press.

The Filesystem Hierarchy Standard — the document that says which directory holds what on a Linux system — gives /etc one firm rule worth remembering: no binaries. Configuration lives here; the programs that read it live elsewhere, in /usr/bin and friends. A shell script is fine (plenty of them run at boot), but a compiled executable does not belong in /etc. Config and code sleep in separate rooms, and that separation is half of why the place stays legible.

Why It Matters

Here is the bet Unix made, and it is easiest to see by looking at who took the other side.

Windows keeps its configuration in the registry — one enormous binary database, a handful of files full of packed keys and values that you cannot read with your eyes and cannot edit without a dedicated tool. It is fast, and it is tidy, and when it works you never think about it. The trouble is that it is one thing. Corrupt the wrong part of it and you haven't lost a setting, you've lost the machine, and the fix is rarely "open it and repair the line" — because you can't open it, not really.

/etc is the opposite wager. It is a pile of separate text files, and every property that flows from text and from separate is a gift you only notice when something breaks. You can read them, so you can understand a machine you've never seen. You can diff them, so you can ask "what changed since yesterday?" and get an answer. You can copy the directory somewhere safe with cp and call it a backup. You can grep the whole tree for a string. You can commit it to version control and watch, line by line, how the box drifted over two years — there's a tool, etckeeper, that does exactly this, quietly checking /etc into git after every package install.

And the one that matters most on the worst day: when a machine won't boot, you can walk in through a rescue shell, chroot into the broken system, open the offending file in vi, fix the one wrong line, and leave. No database engine has to come up. No network. No graphical anything. A text editor and a working pair of eyes, and the patient is on its feet. That recovery story is not a happy accident of plain text — it is plain text, doing the only thing it was ever going to do.

Note

Editing a file under /etc is a bigger deal than editing one in your home directory: these settings are system-wide, they affect every user, and a bad line in something like /etc/fstab can stop the machine from booting. Read twice, save once, and keep the old version.

What Lives Here

You could spend a career learning /etc and not finish, but a handful of files carry most of the weight. Meet the ones you'll actually touch.

  • /etc/passwd — the roster of every account on the system, one per line. Despite the name it holds no passwords anymore (more on that in a moment). Each line is seven fields divided by colons: login name, a placeholder x, the numeric user ID, the group ID, a free-text description, the home directory, and the login shell.
  • /etc/shadow — where the actual password hashes went when they left passwd. Locked down tight; only root may read it.
  • /etc/fstab — the file systems table: which disks and partitions get mounted where, and with what options, each time the machine boots. Get a line wrong here and the boot can hang, which is why it earns the warning above.
  • /etc/hosts — a tiny, local phone book mapping names to IP addresses, consulted before the machine ever asks a DNS server. This is why localhost resolves even with the network unplugged.
  • /etc/hostname — one line, the machine's own name. That's the whole file.
  • /etc/resolv.conf — which DNS servers to ask when a name needs turning into an address. On a modern system this is often generated for you, so read the top comment before you hand-edit it.
  • /etc/crontab and the /etc/cron.d, /etc/cron.daily, /etc/cron.weekly directories — the schedule of everything the machine does on its own, from log rotation to backups. If a server does something mysterious at 3 a.m., the answer is almost always in here. (See cron.)
  • /etc/ssh — the configuration and host keys for SSH, including sshd_config, the single most consequential security file on most servers.
  • /etc/systemd — where your local overrides for systemd, the thing that starts and supervises services, are kept.
  • /etc/sysctl.conf — knobs for the running kernel itself: network tuning, memory behaviour, security toggles.
  • /etc/os-release — the machine tells you what it is. Reliable, standard, and the polite way to ask "which distribution and version am I on?"

Here's what that last one looks like — a real one, from the machine this was written on:

PRETTY_NAME="Debian GNU/Linux 13 (trixie)"
NAME="Debian GNU/Linux"
VERSION_ID="13"
VERSION_CODENAME=trixie
ID=debian

Ten seconds with cat and you know the distribution, the release, and its codename — no guessing from the shape of the prompt.

A Line of /etc/passwd, Read Slowly

The seven fields of /etc/passwd reward a close look, because the whole history of Unix account handling is folded into them. Here is the first line on almost any Linux box:

root:x:0:0:root:/root:/bin/bash

Reading left to right: the account is named root; its password is x; its user ID and group ID are both 0 (which is what makes it root — the number, not the name); its description is root; its home is /root; and it logs in with the Bash shell.

That second field, the lonely x, is a fossil of a fixed security hole. For years the encrypted password sat right there in the third position, in a file that has to be world-readable — every program that turns a user ID back into a name needs to read passwd, so it cannot be locked away. Which meant every user could read every user's password hash, carry it home, and grind against it offline for as long as they liked. The fix, in the late 1980s, was to move the hash out to /etc/shadow — readable only by root — and leave behind a placeholder x that says, plainly, "the real thing is next door, and you're not allowed in there." The public file kept everything harmless and gave up the one secret.

Backstory

That fifth field — the description — has a name, and the name is a small piece of buried history. It's called the GECOS field, after the General Electric Comprehensive Operating System, a mainframe from the 1960s. Early Unix at Bell Labs had no printer of its own, so it shipped its print jobs over to a GE machine down the hall, and the field was added to passwd to carry the account information that machine wanted. The GE mainframe is fifty years gone. The field still carries its name. Every full name on every Linux system on Earth sits in a slot named after someone else's borrowed printer.

Gotchas

  • /etc is host-specific. These files describe this machine, not machines in general. Copying /etc/fstab or /etc/hostname wholesale from one server to another is how you get two boxes convinced they're the same box, mounting disks that aren't there.
  • Some files here are managed for you. /etc/resolv.conf and a few others are often regenerated by a service, so a hand edit vanishes on the next reboot. When a file starts with a comment shouting "DO NOT EDIT," believe it, and edit the source it names instead.
  • Permissions are part of the configuration. /etc/shadow being unreadable to normal users is not a nicety, it's the whole security model. If you ever chmod a file in /etc to make an error go away, you may have just made a far quieter one.
  • The junk-drawer past still shows. /etc was never designed as a clean namespace, so it's a mix of tidy subdirectories and loose files with cryptic names from every decade of Unix at once. Don't expect a system; expect sediment.

Cheat Sheet

# What am I running?
cat /etc/os-release

# Who can log into this machine?
cat /etc/passwd

# What gets mounted at boot?
cat /etc/fstab

# What runs on a schedule?
ls /etc/cron.d /etc/cron.daily
cat /etc/crontab

# Which DNS servers does this box use?
cat /etc/resolv.conf

# Search all of /etc for a setting
grep -r "PermitRootLogin" /etc/ssh

# What changed in /etc since the backup?
diff -r /etc /mnt/backup/etc

History & Philosophy

The name is the oldest joke in the directory. /etc was there in the fifth edition of Unix in 1974, and it stands, honestly and unglamorously, for et cetera — Latin for "and the rest." In the beginning it was the drawer for everything that didn't fit anywhere else: not a program, not a user's file, just... the rest. Brian Kernighan and Rob Pike, writing up early Unix, described /etc in exactly those words. It is the kitchen drawer of the operating system — the one with the spare batteries and the takeout menus and the screwdriver — except that over the decades this particular junk drawer quietly became the single most important place on the machine.

You'll sometimes hear that /etc stands for "Editable Text Configuration." It's a tidy story and it fits the directory beautifully, but it isn't true — it's a backronym, invented long after the fact to explain a name that had gotten mysterious. The real answer is the humbler one: someone in 1974 needed a place for the odds and ends, called it "and the rest," and the odds and ends turned out to run the world.

What survived is the deeper idea underneath the name: that a computer's configuration should be readable by the person who has to fix it. Plain text was not the obvious choice — it costs a little speed and a little discipline — and Unix made it anyway, and fifty years later you can still walk up to a machine you've never met, open a file, and understand how it thinks. That is a rare kind of gift to leave the future, and /etc has been leaving it, one file at a time, the whole while.

See Also

  • /etc/fstab — the file systems table, and the one most worth handling carefully
  • /etc/passwd and /etc/shadow — the account roster and where its secrets went
  • /var/log — where the machine writes down what happened, as /etc records what should happen
  • SSH — configured almost entirely from /etc/ssh
  • configuration — the broader idea of telling a system how to behave
  • grep and diff — the two commands that turn a directory of text into something you can actually reason about

Ever changed a config file and forgotten you did — until the server fell over weeks later?

CleverUptime watches how your machine behaves and tells you, in plain words, when its config quietly stopped matching reality — and what to check first.

Want to see your own server's health right now? One command, no signup, no install.

Check your server →