≡ Menu

Security Tip: Find Out Current Working Directory Of A Process Running on Linux/Unix

For security reason you may need to find out current working directory of a process. You can obtained this information by visiting /proc/pid/cwd directory or using the pwdx command. The pwdx command reports the current working directory of a process or processes.

Find out out working directory for a process

Run ps aux command to find out PID of a process:
$ ps aux | grep {process-name}

To find out current working directory of a PID 13456:
$ pwdx 13456
Sample output:
13456: /tmp/.xy

Look like someone try to hide process (PID # 13456) /tmp/.xy directory. You can also run command:
$ ls -l /proc/13456/cwd
Sample outputs:
lrwxrwxrwx 1 apache apache 0 Nov 14 05:30 /proc/13456/cwd -> /tmp/.xy

Here is another example of my nginx server process running inside a jail called /wwwjail :

pgrep nginx

Sample outputs:

49833
49834
49835
49836
pwdx 49833 49834 49835 49836

Sample outputs:

49833: /wwwjail
49834: /wwwjail
49835: /wwwjail
49836: /wwwjail

Putting it all tougher

You can combine pgrep command and pwdx command into a single command as follows:

 
pwdx $(pgrep ProcessNameHere)
pwdx $(pgrep nginx)
 

OR

 
awk -F':' '{ print $2}' <<<$(pwdx $(pgrep nginx))
 

Sample outputs:

/wwwjail 49834

Not a fan of Linux or Solaris pwdx command?

If you are not using Solaris Unix or Linux based system, try combination of lsof command and grep command/awk command as follows:

 
lsof -p PID | grep --color cwd
 
################################
## assuming that pid is 1617 ###
################################
lsof -p 1617 | awk '/cwd/{ print }'
lsof -p 1617 | awk '/cwd/{ print $9 }'
 

Sample outputs:

named   1617 bind  cwd    DIR              252,1     4096 28847267 /var/cache/bind

OR

/var/cache/bind

Please note that cwd is an environment variable that points to the current working directory of given PID.

See also
Tweet itFacebook itGoogle+ itPDF itFound an error/typo on this page?

Comments on this entry are closed.

  • virens November 14, 2007, 8:22 pm

    Great thing, I usually use lsof | grep whtaiwant. Thanks!

  • nixCraft November 15, 2007, 1:19 am

    yup, lsof is a nifty tool for admins.

  • Gagan Brahmi November 23, 2007, 10:31 pm

    Hey Vivek,

    You can add the lsof command for this as well.

    # lsof -p 13456|more

    The more option over here is to make sure you don’t run out to the next page as the current working directory will be displayed right at the top.