Security Tip: Find Out Current Working Directory Of A Process Running on Linux/Unix

For security reason you may need to find out current working directory of a process. You can obtained this information by visiting /proc/pid/cwd directory or using the pwdx command. The pwdx command reports the current working directory of a process or processes.

Find out out working directory for a process

Run ps aux command to find out PID of a process:
$ ps aux | grep {process-name}

To find out current working directory of a PID 13456:
$ pwdx 13456
Sample output:
13456: /tmp/.xy

Look like someone try to hide process (PID # 13456) /tmp/.xy directory. You can also run command:
$ ls -l /proc/13456/cwd
Sample outputs:
lrwxrwxrwx 1 apache apache 0 Nov 14 05:30 /proc/13456/cwd -> /tmp/.xy

Here is another example of my nginx server process running inside a jail called /wwwjail :

pgrep nginx

Sample outputs:

49833
49834
49835
49836
pwdx 49833 49834 49835 49836

Sample outputs:

49833: /wwwjail
49834: /wwwjail
49835: /wwwjail
49836: /wwwjail

Putting it all tougher

You can combine pgrep command and pwdx command into a single command as follows:

pwdx $(pgrep ProcessNameHere)
pwdx $(pgrep nginx)

OR

awk -F':' '{ print $2}' <<<$(pwdx $(pgrep nginx))

Sample outputs:

/wwwjail 49834

Not a fan of Linux or Solaris pwdx command?

If you are not using Solaris Unix or Linux based system, try combination of lsof command and grep command/awk command as follows:

lsof -p PID | grep --color cwd
 
################################
## assuming that pid is 1617 ###
################################
lsof -p 1617 | awk '/cwd/{ print }'
lsof -p 1617 | awk '/cwd/{ print $9 }'

Sample outputs:

named   1617 bind  cwd    DIR              252,1     4096 28847267 /var/cache/bind

OR

/var/cache/bind

Please note that cwd is an environment variable that points to the current working directory of given PID.

See also
🐧 If you liked this page, please support my work on Patreon or with a donation.
🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source & DevOps topics via:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
3 comments… add one
  • Gagan Brahmi Nov 23, 2007 @ 22:31

    Hey Vivek,

    You can add the lsof command for this as well.

    # lsof -p 13456|more

    The more option over here is to make sure you don’t run out to the next page as the current working directory will be displayed right at the top.

  • 🐧 nixCraft Nov 15, 2007 @ 1:19

    yup, lsof is a nifty tool for admins.

  • virens Nov 14, 2007 @ 20:22

    Great thing, I usually use lsof | grep whtaiwant. Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.