Skip to content

Linux Ops — Trivia & Interesting Facts

Surprising, historical, and little-known facts about Linux operations and system administration.

The root account is UID 0, and that is hardcoded into the kernel

It does not matter what you name the superuser account — the kernel checks for UID 0, not the name "root." You can rename root to "admin" and everything still works. Conversely, if you create a second account with UID 0, it has full root privileges. Some hardening guides suggest renaming root to slow down automated attacks.

/etc stands for "et cetera" and it was a junk drawer

In early Unix, /etc was a catch-all directory for files that did not fit anywhere else — literally "et cetera." Over time it evolved into the standard location for system configuration files. Dennis Ritchie confirmed this etymology. The joke is that the most critical directory on the system was named after the concept of miscellaneous leftovers.

The /tmp directory is cleared on reboot by design — but not always

Whether /tmp is cleared on boot depends on the distribution and configuration. Systemd-based systems use tmpfiles.d to manage /tmp cleanup, and some mount /tmp as tmpfs (a RAM-backed filesystem) which inherently clears on reboot. RHEL cleans /tmp of files older than 10 days via systemd-tmpfiles-clean.timer. This inconsistency has caused data loss when developers use /tmp for semi-persistent storage.

The "ls" command has over 60 flags on GNU/Linux

GNU ls accepts more than 60 command-line options, making it one of the most feature-rich Unix commands. Most users only know -l, -a, -h, and -R. Hidden gems include --time=birth (show creation time), --group-directories-first, and --sort=size. The ls source code in GNU coreutils is over 5,000 lines of C.

Log rotation was invented because logs fill disks

logrotate, written in 1996, exists because a fundamental Unix design principle — append-only log files — conflicts with finite disk space. Before logrotate, sysadmins wrote custom cron jobs to rotate logs. The copytruncate option (copy the log then truncate the original) was added because many daemons do not handle SIGHUP log reopening correctly.

The "wall" command broadcasts to all terminals and predates email

The wall (write all) command sends a message to every logged-in user's terminal. It dates back to the 1970s when Unix was a multi-user timesharing system and administrators needed to warn users about maintenance. It still works today but is rarely used because most Linux servers have zero interactive users.

Environment variables were a Unix invention

Environment variables, now ubiquitous across all operating systems, were introduced in Version 7 Unix in 1979. The PATH variable, which tells the shell where to find commands, was part of this original design. The 12-factor app methodology (2011) popularized using environment variables for application configuration, citing the Unix tradition.

The "sudo" command was created at SUNY Buffalo in 1980

sudo (superuser do) was written by Bob Coggeshall and Cliff Spencer at SUNY Buffalo around 1980. Todd C. Miller took over maintenance in 1994 and has maintained it for 30+ years. The sudoers file syntax is notoriously complex — the manual for the configuration file alone is over 2,000 lines. The common misconception is that sudo stands for "switch user and do," but it originally meant "superuser do."

Screen was released in 1987, tmux in 2007

GNU Screen, the original terminal multiplexer, was written by Oliver Laumann in 1987. tmux (terminal multiplexer), created by Nicholas Marriott 20 years later, offered a cleaner codebase and BSD license. The Screen vs. tmux debate ran for a decade, but tmux has largely won due to better scripting support and active development. Screen's last major release was in 2008.

The "yes" command exists because interactive prompts were a nuisance

The yes command, which outputs "y" (or any string) forever, was written by Ken Thompson because 1970s Unix programs frequently asked "are you sure?" with no batch mode. It is sometimes used for benchmarking because it can saturate a single CPU core and pipe bandwidth. Despite its simplicity, yes has been optimized multiple times in GNU coreutils for throughput.

Linux uptime records exceed 10 years

Some Linux servers have achieved uptimes exceeding 10 years without reboot. Ksplice (2008, acquired by Oracle) and later kpatch (Red Hat) and livepatch (Canonical) enable applying kernel security patches without rebooting. However, extended uptime is increasingly seen as a liability rather than an achievement, since it means skipping kernel updates.

Networking Tools Trivia

ifconfig was deprecated in 2009 but most people did not notice until 2017

The net-tools package (ifconfig, route, netstat, arp) was declared unmaintained in 2009 in favor of iproute2 (ip, ss). But ifconfig remained installed by default on most distributions until around 2017. Many tutorials and even certification materials continued teaching ifconfig for years after deprecation.

netstat was replaced by ss, which is 10x faster on busy servers

ss (socket statistics) dumps socket information directly from kernel data via netlink, while netstat parses /proc/net/tcp line by line. On a server with 50,000 connections, netstat can take 30+ seconds; ss returns in under 1 second.

tcpdump was written in 1988 and still uses the same filter syntax

tcpdump was created by Van Jacobson, Craig Leres, and Steven McCanne at Lawrence Berkeley National Laboratory. Its BPF (Berkeley Packet Filter) syntax became so influential that the Linux kernel adopted BPF as a general-purpose in-kernel virtual machine, eventually evolving into eBPF.

ping was written in one evening and named after sonar

Mike Muuss wrote ping in December 1983 at the U.S. Army Ballistic Research Laboratory. He named it after the sound sonar makes. Muuss wrote it as a diagnostic tool and never patented it. He tragically died in a car accident in 2000 at age 44.

traceroute exploits a "bug" in IP's design

traceroute works by sending packets with incrementally increasing TTL values, starting at 1. Each router that decrements TTL to zero sends back an ICMP "Time Exceeded" message. This was never the intended use of TTL — it was meant to prevent routing loops. Van Jacobson wrote the original traceroute in 1988.

curl supports over 25 protocols

curl, created by Daniel Stenberg in 1998, supports HTTP, HTTPS, FTP, FTPS, SCP, SFTP, TFTP, LDAP, MQTT, IMAP, POP3, SMTP, Telnet, and many more. As of 2024, curl has been installed on over 10 billion devices. Stenberg maintains it largely as a solo project.

nmap has been in 12 Hollywood movies

Nmap, written by Gordon "Fyodor" Lyon in 1997, appeared in The Matrix Reloaded (2003), where Trinity uses nmap -v -sS -O 10.2.2.2 to find an SSH vulnerability. The scene is notable for showing a real, technically accurate exploit chain.

iptables was replaced by nftables but the transition is glacial

nftables was merged into the Linux kernel in 2014 (kernel 3.13) as the successor to iptables. It offers better performance, a saner syntax, and atomic rule replacement. Yet as of 2025, most documentation and even some distributions still default to iptables.

iproute2's ip command has a little-known JSON output mode

Since iproute2 version 4.13 (2017), the ip command supports -j for JSON output. ip -j addr show | jq '.[].ifname' gives clean, parseable network interface data. This feature is rarely mentioned in tutorials but makes ip output machine-readable without fragile text parsing.