Linux I/O Redirection & File Inspection
Introduction
Every process in Linux inherits three file descriptors at birth — stdin (0), stdout (1), and stderr (2). Redirection is simply the act of rerouting these streams: away from the terminal, into a file, into another process, or into the void. It is the backbone of log management, silent automation, and forensic data handling.
This note covers the core redirection operators, practical patterns, and two essential inspection tools — ls and file.
File Descriptor Reference
| Descriptor | Stream | Purpose |
|---|---|---|
0 |
stdin | Standard input — keyboard or piped data |
1 |
stdout | Standard output — normal command results |
2 |
stderr | Standard error — diagnostic and error messages |
Every redirection syntax in Linux targets one of these three.
Redirecting Standard Output
| Operator | Behaviour |
|---|---|
> |
Writes stdout to a file. Creates it if missing; overwrites if it exists. |
>> |
Appends stdout to the end of a file. |
ls > file.txt # Overwrites file.txt with directory listing
echo "Hello" >> file.txt # Appends "Hello" to the end of file.txtKey distinction:
>destroys existing content.>>preserves it. Choose deliberately.
Redirecting Standard Error
| Operator | Behaviour |
|---|---|
2> |
Writes stderr to a file (overwrite). |
2>> |
Appends stderr to a file. |
command_not_found 2> error.txt # Captures the error message into error.txtThe 2 prefix explicitly targets file descriptor 2 — the error stream.
Redirecting Both Streams
When you need everything — normal output and errors — in one place:
| Operator | Behaviour |
|---|---|
command > file 2>&1 |
Merges stderr into stdout, writes both to file. |
command >> file 2>&1 |
Same, but appends. |
command > output.txt 2>&1 # All output and errors go to output.txtBash 4 and later provides a cleaner shorthand:
command &> output.txt # Overwrites — equivalent to > file 2>&1
command &>> output.txt # Appends — equivalent to >> file 2>&1Discarding Output
/dev/null is a special device that silently absorbs anything written to it — a black hole for unwanted output.
command > /dev/null # Silences stdout
command > /dev/null 2>&1 # Silences everything
yum install vim -y > /dev/null # Quiet package install
cat /dev/null > /tmp/sysinfo.txt # Truncates a file to zero bytesUse this when you care about a command’s side effects but not its output.
Operator Cheat Sheet
| Operator | Action |
|---|---|
> |
Overwrite with stdout |
>> |
Append with stdout |
2> |
Overwrite with stderr |
2>> |
Append with stderr |
2>&1 |
Merge stderr into stdout |
&> |
Overwrite with both streams (Bash 4+) |
&>> |
Append with both streams (Bash 4+) |
> /dev/null |
Discard the stream |
Directory Enumeration with ls
ls is the first tool you reach for when surveying a filesystem. The shell expands wildcards (*) via globbing before arguments reach the binary, which matters when tracing unexpected behaviour.
| Flag | Description |
|---|---|
-a |
Show all entries, including hidden dotfiles (.bashrc, .ssh, etc.) |
-l |
Long format — permissions, ownership, size, and timestamps |
-h |
Human-readable sizes (K, M, G) |
-f |
Unsorted output — useful in large directories to reduce latency |
ls -lah * # Everything, long format, human-readableIn practice: Look for dotfiles that shouldn’t be there, unusually large files, or timestamps that don’t match expected deployment schedules. Anomalies in ls output are often the first sign of compromise.
File Signature Analysis with file
Extensions lie. A file named image.jpg might be a shell script. The file command inspects internal headers — magic bytes — to reveal what a file actually is.
| Flag | Description |
|---|---|
-b |
Brief mode — suppresses the filename from output |
-i |
Outputs the MIME type instead of a human description |
-z |
Peers inside compressed archives to identify contents |
file suspicious_upload.dat # What is this really?
file -i user_input # MIME type for scripting pipelines
file -z archive.gz # Identify contents within the archiveForensics discipline: Always run file before executing or concatenating unknown input. If the result is data, executable, or anything unexpected, do not cat it — terminal corruption or accidental execution are real risks.