4 minutes
How to find a process working directory from the PID
In this post we are going to learn about a way to find the working directory of a process with just the PID!
It’s not a surprise if you get asked in a job interveiw as a DevOps/SRE engineer or sysadmin to find the working directory of a running process that you might only have little information about. So how you’d do it?
Find the PID
The key to this problem is to first identify the PID of the process. There are two easier ways to find the PID:
1- You know the process is listening on a TCP port:
netstat -ntpl
which results in printing the processes that are listening on different ports along with their PIDs.
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1731/nginx: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 605/sshd: /usr/sbin
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 383/systemd-resolve
tcp6 0 0 :::22 :::* LISTEN 605/sshd: /usr/sbin
You can see in our example the Nginx process has the PID “1731”.
2- Not all processes listen on a TCP port:
ps -aux | grep <process-name>
This time you are preseted with different output. Below you can see there multiple processes with “nginx” in their names.
root 1731 0.0 1.2 55312 12180 ? S 11:00 0:00 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
www-data 4092 0.0 0.6 56076 6480 ? S 14:07 0:00 nginx: worker process
root 5666 0.0 0.2 7004 2264 pts/7 S+ 23:20 0:00 grep --color=auto nginx
The PID is shown on the second column, and the first line is the process that we are looking for in this example (the master process of the Nginx application)
Find the working directory
Now that you have the PID let’s have a look at “/proc” directory. This is a very important directory on Linux systems. Beside holding informations about all the harware and system resources, it also holds a directory for each running process with the PID of that process as the name of the directory.
Let’s have a look
cd /proc
ls -h
Here you can see the directories of the processes including the one that we are looking for in this example the “1731” directory.
1 14 20 228 32 39 431 4815 4923 527 5591 6 71 buddyinfo dma ioports kpageflags net stat version
10 15 200 24 33 4 432 4816 4932 54 5592 60 721 bus driver irq loadavg pagetypeinfo swaps version_signature
11 16 204 25 34 4092 434 4825 4933 542 56 605 77 cgroups dynamic_debug kallsyms locks partitions sys vmallocinfo
1183 165 205 27 35 416 435 4826 4934 5489 5667 61 78 cmdline execdomains kcore mdstat pressure sysrq-trigger vmstat
12 1731 206 28 36 42 44 4827 4935 55 57 62 795 consoles fb key-users meminfo schedstat sysvipc xen
124 18 207 29 37 421 455 4828 495 5579 5720 63 797 cpuinfo filesystems keys misc scsi thread-self zoneinfo
1183 165 205 27 35 416 435 4826 4934 5489 5667 61 78 cmdline execdomains kcore mdstat pressure sysrq-trigger vmstat
12 1731 206 28 36 42 44 4827 4935 55 57 62 795 consoles fb key-users meminfo schedstat sysvipc xen
124 18 207 29 37 421 455 4828 495 5579 5720 63 797 cpuinfo filesystems keys misc scsi thread-self zoneinfo
125 19 21 3 38 422 466 4863 5 5580 5729 64 8 crypto fs kmsg modules self timer_list
126 190 210 30 381 43 4718 490 50 5589 58 65 acpi devices interrupts kpagecgroup mounts slabinfo tty
13 2 22 31 383 430 4725 4922 5161 5590 59 66 bootconfig diskstats iomem kpagecount mtrr softirqs uptime
To find the working directory of the process “1731” we need to look at two symbolic links in the directory. “cwd” shows the current working directory and “exe” shows the directory in which the exetubale file of the process is residing.
ls -lh cwd
lrwxrwxrwx 1 root root 0 Jul 13 11:00 cwd -> /
ls -lh exe
lrwxrwxrwx 1 root root 0 Jul 13 11:00 exe -> /usr/sbin/nginx