Bash
An overview of Bash metacharacters, their functions, and how they influence parsing, expansion, and execution in Unix‑like environments
The following table provides an overview of meta‑characters commonly used in both the Bourne shell and the C shell. To improve completeness, several compound character sequences have also been included.
While the table offers a broad reference, it does not cover every nuance of shell behavior. Shell meta‑characters can interact in subtle and sometimes unexpected ways, which is important to keep in mind when analyzing or constructing command sequences in a security context.
| Syntax | Description |
|---|---|
< | Redirect stdin (read input from a file instead of the keyboard) |
> or 1> | Redirect stdout (write to a file, overwriting it) |
2> | Redirect stderr (write to a file, overwriting it) |
&> | Redirect both stdout and stderr (overwrite) |
>> or 1>> | Redirect stdout, but append instead of overwrite |
2>> | Redirect stderr, append |
&>> | Redirect both stdout and stderr, append |
1>&2 | Redirect stdout → stderr |
2>&1 | Redirect stderr → stdout |
| Character | Where | Meaning |
|---|---|---|
| bash,sh | Execute command | |
| # | bash,sh | Start a comment |
| bash,sh | Argument separator | |
| ` | bash,sh | Command substitution |
| " | bash,sh | Weak Quotes |
| ' | bash,sh | Strong Quotes |
| \ | bash,sh | Single Character Quote |
| variable | bash,sh | Variable |
| variable | bash,sh | Same as variable |
| | | bash,sh | Pipe character |
| ^ | bash,sh | Pipe Character |
| & | bash,sh | Run program in background |
| ? | bash,sh | Match one character |
| * | bash,sh | Match any number of characters |
| ; | bash,sh | Command separator |
| ;; | bash,sh | End of Case statement |
| ~ | bash,sh | Home Directory |
| ~user | bash,sh | User's Home Directory |
| ! | bash,sh | History of Commands |
| - | bash,shs | Start of optional argument |
| $# | bash,sh | Number of arguments to script |
| $* | bash,sh | Arguments to script |
| $@ | bash,sh | Original arguments to script |
| $- | bash,sh | Flags passed to shell |
| $? | bash,sh | Status of previous command |
| $$ | bash,sh | Process identification number |
| $! | bash,sh | PID of last background job |
| && | bash,sh | Short-circuit AND |
| || | bash,sh | Short-circuit OR |
| . | bash,sh | Typ. filename extension |
| . | bash,sh | Source a file and execute as command |
| : | bash,sh | Nothing command |
| : | bash,sh | Separates values in environment variables |
| : | bash,sh | Variable modifier |
| Character | bash,sh | Meaning |
| [ ] | bash,sh | Match range of characters |
| [ ] | bash,sh | Test |
| %job | bash,sh | Identifies job number |
| (cmd;cmd) | bash,sh | Runs cmd;cmd as a sub-shell |
| { } | bash,sh | In-line expansions |
| {cmd;cmd } | bash,sh | Like (cmd;cmd) without a subshell |
| >ofile | bash,sh | Standard output |
| >>ofile | bash,sh | Append to standard output |
| <ifile | bash,sh | Standard Input |
| <<word | bash,sh | Read until word, substitute variables |
| <<word | bash,sh | Read until word, no substitution |
| <<-word | bash,sh | Read until word, ignoring TABS |
| >>!file | bash,sh | Append to file, ignore error if not there |
| >!file | bash,sh | Output to new file, ignore error if not there |
| >&file | bash,sh | Send standard & error output to file |
| <&digit | bash,sh | Switch Standard Input to file |
| <&- | bash,sh | Close Standard Input |
| >&digit | bash,sh | Switch Standard Output to file |
| >&- | bash,sh | Close Standard Output |
| digit1<&digit2 | bash,sh | Connect digit2 to digit1 |
| digit<&- | bash,sh | Close file digit |
| digit2>&digit1 | bash,sh | Connect digit2 to digit1 |
| digit>&- | bash,sh | Close file digit |
A solid understanding of shell meta‑characters is essential when working in Unix‑like environments, particularly in security‑focused contexts. Throughout this material, we will also look at practical methods for verifying how the shell interprets these characters, enabling you to identify where unexpected behavior originates.
Most keyboards provide three different types of quotation marks. Two of them — the single quote (') and the double quote (") — are the same characters used for standard English punctuation, and both play important roles in controlling how the shell processes text. The third character, the backtick (`), is visually similar to the single quote, which often leads to confusion in shell scripts.
Despite the resemblance, the backtick does not serve as a quoting mechanism.
Instead, the backtick is used for command substitution. Any text enclosed within backticks is executed by the shell, and the resulting output is inserted directly into the surrounding command.
-
For example:
result=`command`
A precise understanding of how these characters behave — and how the shell interprets them under different conditions — is fundamental in offensive security work. Meta‑characters control parsing, expansion, redirection, and execution flow, and even small misunderstandings can lead to unexpected command behavior.
For an attacker, these mechanics are tools; for a defender, they are potential entry points.
Mastering these distinctions is essential when crafting payloads, bypassing filters, manipulating input vectors, or analyzing how a target system processes user‑supplied data.
Whether you are building reliable exploitation chains, testing for injection vulnerabilities, or tracing how a command is being parsed during debugging, knowing exactly how the shell treats each character is what allows you to predict — and control — the outcome.
Examples of Bourne shell filename expansions
| Pattern | Matches |
|---|---|
| * | Every file in the current directory |
| ? | Files consisting of one character |
| ?? | Files consisting of two characters |
| ??* | Files consisting of two or more characters |
| [abcdefg] | Files consisting of a single letter from a to g. |
| [gfedcba] | Same as above |
| [a-g] | Same as above |
| [a-cd-g] | Same as above |
| [a-zA-Z0-9] | Files that consist of a single letter or number |
| [!a-zA-Z0-9] | Files that consist of a single character not a letter or number |
| [a-zA-Z]* | Files that start with a letter |
| ?[a-zA-Z]* | Files whose second character matches a letter. |
| *[0-9] | Files that end with a number |
| ?[0-9] | Two character filename that end with a number |
| *.[0-9] | Files that end with a dot and a number |
Bash Commands
Set or unset values of shell options and positional parameters.
bash -c "help set"
Enable execution tracing for debugging
bash --debug
Start Bash with the built‑in debugger enabled
bash --debugger
Print translatable strings (gettext .po format) from Bash
bash --dump-po-strings
Print all static strings compiled into the Bash binary
bash --dump-strings
Display Bash help and usage information
bash --help
Specify an initialization file to read before executing commands
bash --init-file
Start Bash as a login shell
bash --login
Disable command‑line editing (no readline)
bash --noediting
Do not read the system‑wide profile scripts
bash --noprofile
Do not read the user’s ~/.bashrc file
bash --norc
Enable POSIX‑compliant behavior
bash --posix
Pretty‑print shell scripts after parsing
bash --pretty-print
Specify an alternative rc file instead of ~/.bashrc
bash --rcfile
Start Bash in restricted mode
bash --restricted
Print shell input lines as they are read
bash --verbose
Show version information and exit
bash --version
Resource(s)
- http://www.gnu.org/software/bash
- https://www.grymoire.com/Unix/Bourne.html
- https://tldp.org/LDP/abs/html/
- https://github.com/awesome-lists/awesome-bash
- https://web.archive.org/web/20230406195713/https://www.gnu.org/software/bash/
- https://lists.gnu.org/archive/html/bug-bash/2025-07/msg00005.html
- https://mywiki.wooledge.org/BashFAQ/061
- https://web.archive.org/web/20230328220001/https://wiki.bash-hackers.org/start
- https://tiswww.case.edu/php/chet/bash/bashtop.html
- https://google.github.io/styleguide/shellguide.html
- https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html
- https://www.topbug.net/blog/2017/07/31/inputrc-for-humans/
- https://www.gnu.org/savannah-checkouts/gnu/bash/manual/bash.html#Readline-Killing-Commands
- http://jpsdomain.org/linux/linux.html
- https://www.linuxdoc.org/LDP/nag2/index.html