DEV Community

Cover image for Linux Doesn't Care What You Name Your Files (And That's a Security Problem)
Ayesha Abbas
Ayesha Abbas

Posted on

Linux Doesn't Care What You Name Your Files (And That's a Security Problem)

While working through How Linux Works as part of my daily Linux study, I learned something that quietly rearranged how I think about files: Linux doesn't check whether a filename matches its content. At all.

You could rename a shell script to definitely_a_pdf.pdf, and Linux will run it exactly the same as if you'd been honest. The extension is just decoration, a label you're free to lie about.

That's also exactly how a lot of phishing attacks work. invoice.pdf.exe disguised as invoice.pdf. A convincing icon. A victim who trusts a filename instead of checking what the file actually is.

How files are actually identified

Every real file format has a signature, "magic bytes", at the very start of its content, completely independent of the filename:

PDFs start with %PDF-
JPEGs start with FF D8 FF
Linux executables (ELF) start with 7F 45 4C 46

Run file somefile.txt on Linux and it reads these bytes directly, telling you what something actually is, not what its name claims.

So I built a small detector

Instead of just reading about this, I wrote masq_detector, a small Python CLI that scans a directory, checks each file's real content against its claimed extension, and flags mismatches, specifically prioritizing files that are both disguised and directly executable.

pythonif is_dangerous_content and extension_mismatch:
severity = "HIGH"

That and wasn't there in my first version, I originally used or, which meant any executable got flagged, including perfectly honest .exe installers sitting in my Downloads folder. Running it against my real Downloads directory surfaced that false positive immediately, which was a good reminder that testing against real data catches design flaws that testing against toy examples never will.

What it actually does under the hood

It leans on the Unix file command for the actual content detection, no reason to reinvent decades of battle-tested magic-byte parsing. What I built is the layer on top: comparing that output against expected keywords per extension, and deciding what counts as a genuine threat versus a harmless mismatch.

Honest limitations

No ML, no fancy heuristics, just straightforward signature comparison
Linux/macOS only, since it depends on the file command
A learning project, not a production security tool

Why this mattered to me
I'm a CS student working toward graduation in 2028, currently deep in Linux and networking self-study, with cloud security as the direction I'm exploring next and a DAAD-funded Masters in Germany as the long-term goal. Small, fully-understood projects like this one feel like the right way to build toward that, not by making something impressive, but by making something I can actually explain, line by line.

Code: github.com/AyeshaAbbas-engg/masq_detector

What's a Linux "wait, that's how it works?" moment you've had recently? I'm collecting these.

Top comments (0)