Security Tip: Find Out Current Working Directory Of A Process Running on Linux/Unix

by on November 14, 2007 · 3 comments· LAST UPDATED February 1, 2014

in , ,

For security reason you may need to find out current working directory of a process. You can obtained this information by visiting /proc/pid/cwd directory or using the pwdx command. The pwdx command reports the current working directory of a process or processes.

Find out out working directory for a process

Run ps aux command to find out PID of a process:
$ ps aux | grep {process-name}

To find out current working directory of a PID 13456:
$ pwdx 13456
Sample output:
13456: /tmp/.xy

Look like someone try to hide process (PID # 13456) /tmp/.xy directory. You can also run command:
$ ls -l /proc/13456/cwd
Sample outputs:
lrwxrwxrwx 1 apache apache 0 Nov 14 05:30 /proc/13456/cwd -> /tmp/.xy

Here is another example of my nginx server process running inside a jail called /wwwjail :

pgrep nginx

Sample outputs:

49833
49834
49835
49836
pwdx 49833 49834 49835 49836

Sample outputs:

49833: /wwwjail
49834: /wwwjail
49835: /wwwjail
49836: /wwwjail

Putting it all tougher

You can combine pgrep command and pwdx command into a single command as follows:

 
pwdx $(pgrep ProcessNameHere)
pwdx $(pgrep nginx)
 

OR

 
awk -F':' '{ print $2}' <<<$(pwdx $(pgrep nginx))
 

Sample outputs:

/wwwjail 49834

Not a fan of Linux or Solaris pwdx command?

If you are not using Solaris Unix or Linux based system, try combination of lsof command and grep command/awk command as follows:

 
lsof -p PID | grep --color cwd
 
################################
## assuming that pid is 1617 ###
################################
lsof -p 1617 | awk '/cwd/{ print }'
lsof -p 1617 | awk '/cwd/{ print $9 }'
 

Sample outputs:

named   1617 bind  cwd    DIR              252,1     4096 28847267 /var/cache/bind

OR

/var/cache/bind

Please note that cwd is an environment variable that points to the current working directory of given PID.

See also
TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 3 comments… read them below or add one }

1 virens November 14, 2007 at 8:22 pm

Great thing, I usually use lsof | grep whtaiwant. Thanks!

Reply

2 nixCraft November 15, 2007 at 1:19 am

yup, lsof is a nifty tool for admins.

Reply

3 Gagan Brahmi November 23, 2007 at 10:31 pm

Hey Vivek,

You can add the lsof command for this as well.

# lsof -p 13456|more

The more option over here is to make sure you don’t run out to the next page as the current working directory will be displayed right at the top.

Reply

Leave a Comment

Tagged as: , , , , , , , ,

Previous post:

Next post: