Security Tip: Find Out Current Working Directory Of A Process Running on Linux/Unix

For security reason you may need to find out current working directory of a process. You can obtained this information by visiting /proc/pid/cwd directory or using the pwdx command. The pwdx command reports the current working directory of a process or processes.

Find out out working directory for a process

Run ps aux command to find out PID of a process:
$ ps aux | grep {process-name}

To find out current working directory of a PID 13456:
$ pwdx 13456
Sample output:
13456: /tmp/.xy

Look like someone try to hide process (PID # 13456) /tmp/.xy directory. You can also run command:
$ ls -l /proc/13456/cwd
Sample outputs:
lrwxrwxrwx 1 apache apache 0 Nov 14 05:30 /proc/13456/cwd -> /tmp/.xy

Here is another example of my nginx server process running inside a jail called /wwwjail :

pgrep nginx

Sample outputs:

49833
49834
49835
49836

pwdx 49833 49834 49835 49836

Sample outputs:

49833: /wwwjail
49834: /wwwjail
49835: /wwwjail
49836: /wwwjail

Putting it all tougher

You can combine pgrep command and pwdx command into a single command as follows:

pwdx $(pgrep ProcessNameHere)
pwdx $(pgrep nginx)

OR

awk -F':' '{ print $2}' <<<$(pwdx $(pgrep nginx))

Sample outputs:

/wwwjail 49834

Not a fan of Linux or Solaris pwdx command?

If you are not using Solaris Unix or Linux based system, try combination of lsof command and grep command/awk command as follows:

lsof -p PID | grep --color cwd
 
################################
## assuming that pid is 1617 ###
################################
lsof -p 1617 | awk '/cwd/{ print }'
lsof -p 1617 | awk '/cwd/{ print $9 }'

Sample outputs:

named   1617 bind  cwd    DIR              252,1     4096 28847267 /var/cache/bind

OR

/var/cache/bind

Please note that cwd is an environment variable that points to the current working directory of given PID.

See also

• See pwdx command example page for more information.
• Man pages – grep(1)