Security Tip: Find Out Current Working Directory Of A Process Running on Linux/Unix

For security reason you may need to find out current working directory of a process. You can obtained this information by visiting /proc/pid/cwd directory or using the pwdx command. The pwdx command reports the current working directory of a process or processes.

ADVERTISEMENTS

Find out out working directory for a process

Run ps aux command to find out PID of a process:
$ ps aux | grep {process-name}

To find out current working directory of a PID 13456:
$ pwdx 13456
Sample output:
13456: /tmp/.xy

Look like someone try to hide process (PID # 13456) /tmp/.xy directory. You can also run command:
$ ls -l /proc/13456/cwd
Sample outputs:
lrwxrwxrwx 1 apache apache 0 Nov 14 05:30 /proc/13456/cwd -> /tmp/.xy

Here is another example of my nginx server process running inside a jail called /wwwjail :

pgrep nginx

Sample outputs:

49833
49834
49835
49836
pwdx 49833 49834 49835 49836

Sample outputs:

49833: /wwwjail
49834: /wwwjail
49835: /wwwjail
49836: /wwwjail

Putting it all tougher

You can combine pgrep command and pwdx command into a single command as follows:

pwdx $(pgrep ProcessNameHere)
pwdx $(pgrep nginx)

OR

awk -F':' '{ print $2}' <<<$(pwdx $(pgrep nginx))

Sample outputs:

/wwwjail 49834

Not a fan of Linux or Solaris pwdx command?

If you are not using Solaris Unix or Linux based system, try combination of lsof command and grep command/awk command as follows:

lsof -p PID | grep --color cwd
 
################################
## assuming that pid is 1617 ###
################################
lsof -p 1617 | awk '/cwd/{ print }'
lsof -p 1617 | awk '/cwd/{ print $9 }'

Sample outputs:

named   1617 bind  cwd    DIR              252,1     4096 28847267 /var/cache/bind

OR

/var/cache/bind

Please note that cwd is an environment variable that points to the current working directory of given PID.

See also
🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source & DevOps topics via:
CategoryList of Unix and Linux commands
File Managementcat
Network Utilitiesdig host ip nmap
Package Managerapk apt
Processes Managementbg chroot disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w

ADVERTISEMENTS
3 comments… add one
  • virens Nov 14, 2007 @ 20:22

    Great thing, I usually use lsof | grep whtaiwant. Thanks!

  • 🐧 nixCraft Nov 15, 2007 @ 1:19

    yup, lsof is a nifty tool for admins.

  • Gagan Brahmi Nov 23, 2007 @ 22:31

    Hey Vivek,

    You can add the lsof command for this as well.

    # lsof -p 13456|more

    The more option over here is to make sure you don’t run out to the next page as the current working directory will be displayed right at the top.

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.