CLI Command Cheat Sheet

macOS ships BSD ls, which lacks --color=auto (use -G instead) and orders flags differently. Install GNU coreutils via Homebrew (brew install coreutils) to get gls matching Linux behaviour.

cd is a shell builtin, not a binary — it can’t be run via sudo or xargs. Use pushd / popd if you need a directory stack.

rm -rf / is the canonical destructive command. On macOS and modern GNU coreutils, rm refuses / without --no-preserve-root, but a leading variable that resolves to empty (rm -rf "$VAR"/) still nukes / — always quote-test critical paths. There is no undelete.

BSD cp (macOS) has no -a; use cp -pR or install GNU coreutils. Trailing / on the source means “contents of” — cp -r src/ dst/ copies the contents of src into dst, while cp -r src dst/ copies the src directory itself into dst.

Hard links share the same inode and break if the file system runs out of inodes; you can’t hard-link across file systems or to directories. Symbolic links can point at anything but become broken if the target moves.

Format strings differ between GNU stat (Linux: -c) and BSD stat (macOS: -f). Cross-platform scripts should detect or fall back to ls -l.

Not installed by default on macOS (brew install tree) or many minimal Linux containers (apt install tree).

Not available on stock macOS — install via brew install coreutils and use grealpath, or fall back to readlink -f (also macOS-missing) or cd "$(dirname p)" && pwd.

macOS ships BSD grep, which lacks -P and orders flags differently. Install GNU grep via brew install grep for cross-platform ggrep. Patterns starting with - need a -- separator (grep -- -foo file). ripgrep (rg) is faster, respects .gitignore, and is generally preferable for ad-hoc work.

-print is the default action — drop it for clarity, add it back when piping into xargs with weird filenames (use -print0 + xargs -0 to handle spaces). BSD find (macOS) and GNU find have minor flag differences (-printf is GNU-only).

NR is the line number, NF the field count; $0 is the whole line, $1..$NF the fields. Built-in to every Unix; for anything more elaborate, reach for Python or jq (for JSON).

sed -i means “in-place” on GNU but BSD/macOS requires a backup-extension arg (sed -i '' 's/…'). The portable form is sed -i.bak 's/…' which works on both and leaves a .bak behind. Don’t mix delimiters inside the script: use s|/path|/new|g when the pattern contains slashes.

uniq only collapses adjacent duplicates — pipe sort in first, or use sort -u for a one-step equivalent.

Inside less: /pattern searches forward, ?pattern searches backward, n/N jumps next/prev, g/G go to top/bottom, q quits. +F tails the file like tail -f until Ctrl+C drops you into normal less mode.

“Useless use of cat” — cat file | grep x is just grep x file. Pipelines work better when you don’t detach the input from its source.

The echo … | sudo tee -a pattern is how you write to a root-only file when you can’t run sudo on a redirect (because >> is interpreted by your unprivileged shell, not the sudo’d process).

Without -0, filenames with spaces or newlines break. Always pair find -print0 with xargs -0. -I {} implies -n 1.

Not installed by default — apt install jq / brew install jq. For YAML use yq (the Mike Farah Go reimplementation); they share most of the syntax.

ps aux and ps -ef are nearly equivalent but use different flag syntax (BSD vs POSIX). On modern Linux either works; on minimal busybox boxes (and some Android setups) only one is available.

Linux top and macOS top are different binaries with different keybindings. Inside Linux top: P sort by CPU, M by memory, k kill a PID, q quit.

Not installed by default — apt install htop / brew install htop / pkg install htop in Termux. Inside htop: F5 tree, F6 sort, F9 kill, F10 quit.

Reach for -15 first — -9 bypasses cleanup and can leave locked files, half-written data, or zombie children. A process that ignores -15 for >5s is the only candidate for -9.

Jobs are shell-local — they disappear when the shell exits unless you use nohup or disown. Use fg %1 to foreground job 1, bg %1 to resume it in the background.

Output goes to nohup.out in the current directory unless you redirect explicitly. For something more durable, use systemd service units (Linux), launchd (macOS), or a terminal multiplexer like tmux.

Almost always needs sudo to see other users’ files / sockets. On Linux, ss -ltnp is faster for “what’s listening on which port”.

time is both a shell builtin and a binary (/usr/bin/time). The builtin (which most shells default to) shows real/user/sys; the binary supports -v for memory and I/O stats (/usr/bin/time -v ... on Linux).

curl | sh executes arbitrary network code — only do this for sources you trust. Default macOS curl lacks brotli/zstd support — install via Homebrew for full features. Use --fail in scripts so 4xx/5xx responses produce a non-zero exit code.

Not installed on macOS by default — brew install wget. curl covers most of the same use cases and is preinstalled everywhere.

Some networks block ICMP — “ping fails” doesn’t always mean the host is down. Sub-second -i values usually require root.

dig is more powerful and has better scripting support; reach for nslookup on Windows where dig isn’t bundled.

ss replaced netstat on modern Linux — faster and reads /proc/net directly. macOS uses netstat + lsof -i instead.

Deprecated on modern Linux in favour of ss (faster same data). Still standard on macOS, BSD, and Windows.

Only scan networks you own or have written permission to scan. Aggressive scans are noisy and may trigger IDS alerts.

Replaced the older ifconfig / route / arp trio. Not available on macOS — use ifconfig + route + netstat -rn there.

Deprecated on modern Linux (use ip). Still default on macOS and BSD.

Config goes in ~/.ssh/config — set HostName, User, Port, IdentityFile per host and never type those flags again. StrictHostKeyChecking accept-new is the sane default (warns on changed keys but accepts first contact). Agent forwarding (-A) gives the remote sudo over your local keys — don’t enable it on shared boxes.

OpenSSH 9+ switched scp’s wire protocol from RCP to SFTP — behaves similarly but rejects some old quoting tricks. For anything beyond trivial copies, prefer rsync (resumes, delta transfer, much faster on retries).

Trailing / matters: src/ means “contents of src”, src means “the src dir itself”. Always dry-run --delete first. -a is shorthand for -rlptgoD; drop -a and explicitly pick flags if you don’t want owners/groups preserved.

Default output path is ~/.ssh/id_ed25519 — answer the prompts if you want a different location. Use a passphrase for anything that touches production; pair with ssh-add so you only enter it once per session.

Not bundled with Windows OpenSSH — workaround: cat ~/.ssh/id_ed25519.pub | ssh user@host 'cat >> ~/.ssh/authorized_keys'.

Once connected: ls, cd, get, put, mget, mput, bye. sshfs (FUSE) mounts a remote dir as a local filesystem if you’d rather use regular file tools.

Uses UDP on ports 60000–61000 — open those if your network blocks them. Needs mosh installed on both ends (server-side acts as a relay). For SSH-only environments stick with ssh + tmux.

git add . stages everything below the current directory; git add -A stages the entire working tree. Big difference if you’re inside a subfolder. Use -p for surgical commits when one set of edits should be split across multiple commits.

Never --amend a commit that’s already pushed to a shared branch without coordinating a force-push. -a stages already-tracked files only — new files still need git add first.

Default --force can wipe a teammate’s pushed work. Use --force-with-lease — it refuses to push if the remote moved on after your last fetch. Even safer: --force-with-lease=<branch>:<sha> pinning the exact SHA you expect to be overwriting.

Set git config --global pull.rebase true (or pull.ff only) once and you’ll never accidentally create a junky “Merge branch ‘main’ of …” commit again.

Never rebase commits that have been pushed to a shared branch. Rebasing rewrites SHAs, so anyone with the old SHAs will be on a diverged history.

Stashes are local-only — they never push or sync. Don’t treat the stash as long-term storage; commit to a wip branch if you’ll be gone for more than a day.

--hard discards uncommitted changes silently — no undo. Use git reflog to recover the previous HEAD if you reset by mistake.

Always run apt update before apt install — stale indexes cause “package not found” errors. apt is the user-facing tool; apt-get is the more scriptable stable interface (preferred in CI).

Don’t sudo brew — Homebrew is designed to install into a user-writable prefix and refuses elevated runs.

Never run pacman -Sy <pkg> on Arch — partial upgrades break dependency chains. Always -Syu.

Don’t pip install as root on a system Python — you’ll collide with the distro package manager (apt, dnf). Use python -m venv .venv && . .venv/bin/activate, or pipx for CLI tools, or --user. On modern Debian/Ubuntu, system Python is “externally managed” and pip refuses without --break-system-packages.

Use npm ci in CI — it errors instead of mutating package-lock.json, and it’s faster. Don’t mix npm and yarn/pnpm in the same repo.

Argument order matters with single-letter flags — c, x, t come first; f <archive> must directly precede the filename. Long options (--create, --extract) are more forgiving. Always verify -C when extracting untrusted archives — tarballs can contain absolute paths or ../ traversals (the classic “tar slip” attack).

gzip works on one file at a time. For multiple files bundle with tar first (tar czf bundle.tar.gz dir/) — that’s the .tar.gz convention.

sudo cmd >> /etc/file doesn’t work — the redirect is your unprivileged shell. Use echo … | sudo tee -a /etc/file instead. Edit /etc/sudoers only via visudo so syntax errors don’t lock you out.

Octal cheat sheet: r=4 w=2 x=1. 755 is “owner rwx, others rx” (the default for executables and dirs); 644 is “owner rw, others r” (regular files); 600 is “owner only” (private keys, .env). Capital X in symbolic mode means “x on dirs but not regular files unless already executable” — exactly what you want with -R.

Umask is subtracted from the default base mode (666 for files, 777 for dirs). umask 022 → new files 644, new dirs 755 (the typical default). umask 077 → owner-only, useful for paranoid home dirs.

“No space left on device” can mean blocks OR inodes — check df -i too. Lots of small files can exhaust inodes well before blocks fill up.

du -sh * misses dotfiles — use du -sh .[!.]* * to include them. ncdu is an interactive front end worth installing if you’re hunting space hogs.

“Target is busy” usually means a shell is cd‘d into the mount or a process has an open file. lsof +D /mnt/usb or fuser -m /mnt/usb tells you who.

available is what you actually have — free excludes cache that the kernel will reclaim on demand. Linux uses free RAM as cache aggressively; “low free RAM” is usually fine.

echo is a shell builtin AND a binary; behaviour differs slightly across both. For anything beyond trivial output, prefer printf — it’s portable, supports format strings, and doesn’t quietly interpret -e/-n as data.

An assignment without export (FOO=bar) sets a shell variable that child processes will not see. FOO=bar cmd exports for that single invocation only — clean and useful.

The shebang line #!/usr/bin/env python3 uses env to look up Python in PATH — portable across distros that install Python in different places.

Aliases are shell-local — define them in ~/.bashrc / ~/.zshrc for persistence. They don’t expand inside scripts run with #!/bin/bash unless you enable shopt -s expand_aliases; use a function instead for script-level reuse.

Bash truncates history to HISTSIZE entries; the file to HISTFILESIZE. Multi-shell users want HISTCONTROL=ignoreboth and shopt -s histappend to avoid clobbering history when several shells exit at once.

which doesn’t know about aliases or shell functions — type does. Prefer command -v in scripts (POSIX, portable, predictable).

Inside man: /pattern search, n/N next/prev, q quit. For colourised man pages set MANPAGER='less -R' and a colour-aware LESS_TERMCAP_* set in your shell init. tldr is a friendlier “example-first” alternative.

Always use read -r in scripts — without it, backslashes get interpreted as line continuations. while IFS= read -r line; do …; done < file is the canonical loop for reading a file line by line in bash.

Order matters: cmd > file 2>&1 sends both to file, but cmd 2>&1 > file sends stderr to the original stdout (terminal) and stdout to the file. &> is bash-only; portable scripts should use > file 2>&1.

System Python and your project’s Python are different — use python3 -m venv .venv && . .venv/bin/activate per project. On macOS, python (no 3) usually doesn’t exist; always use python3. uv / pyenv manage parallel interpreter versions.

The “strict mode” trio set -euo pipefail at the top of every script catches a huge class of bugs early — unset vars typoed as commands, partial-pipeline failures silently ignored, etc. macOS ships bash 3.2 (2007) under /bin/bash — brew install bash for the modern one at /opt/homebrew/bin/bash.

Default shell on macOS since Catalina. Most bash scripts work unchanged but a few subtle differences exist (word splitting on unquoted vars, glob behaviour). Pin scripts to bash with #!/usr/bin/env bash when portability matters.

Use #!/usr/bin/env <interp> for portability — it finds the interpreter via PATH instead of hard-coding /usr/local/bin/.... Linux limits the shebang line to 128 chars and historically only allows one arg to the interpreter — env -S (GNU coreutils ≥ 8.30) splits a second arg-string for you.

Default users inside containers are often root, even when the host user isn’t. Anything written into a bind-mount lands on disk as root. Pass -u "$(id -u):$(id -g)" to match your host UID, or build the image with a non-root USER.

The context (.) is uploaded to the daemon before the build starts — add a .dockerignore to exclude node_modules, .git, etc. or you’ll send gigabytes on every build. Use BuildKit (DOCKER_BUILDKIT=1 on older Docker, default since 23.0) for cache mounts, parallel stages, and secret mounts.

docker compose (v2, plugin) and docker-compose (v1, separate Python binary) take nearly identical args; v1 is legacy and missing from new installs. compose.yml is the v3+ filename, but most projects still ship docker-compose.yml.

CLI is a near-superset of Docker’s (most docker commands work via alias docker=podman). Default is rootless — uses user namespaces under the hood, so port-mapping below 1024 won’t work without extra config. On macOS, runs a tiny Linux VM (podman-machine) behind the scenes.

Always confirm kubectl config current-context before destructive commands — landing a kubectl delete on production because you forgot to switch contexts is a classic footgun. kubectx + kubens from ahmetb/kubectx make context/namespace switching ergonomic.