Publish: 2019-11-13 | Modify: 2019-11-13
A few days ago, a friend asked me to analyze a high CPU usage process on the server and determine if it was compromised. It is essential to find the process path before analyzing the process. In this article, I will share the methods to view process paths in Linux.
The ps command is used to report the current status of processes in the system. First, we use the ps command (ps -ef
) to find the PID of the nginx
process.
[root@sharktech ~]# ps -ef|grep 'nginx'
root 10837 1 0 Nov01 ? 00:00:00 nginx: master process nginx
www 10838 10837 24 Nov01 ? 2-17:32:59 nginx: worker process
www 10839 10837 0 Nov01 ? 00:00:36 nginx: cache manager process
root 10939 10879 0 19:15 pts/1 00:00:00 grep --color=auto nginx
We can see that the PID of the nginx master process is 10837
. We need to record this for future use.
When starting a process in Linux, the system creates a folder in /proc with the name of the PID. In this folder, there is information about our process, including a file named exe
that records the absolute path. We can use the ll
or ls -l
command to view it. In the previous step, we obtained the nginx process ID as 10837
. Let's use the ls
command to see what's inside.
[root@sharktech ~]# ls -l /proc/10837
total 0
dr-xr-xr-x. 2 root root 0 Nov 12 19:19 attr
-rw-r--r--. 1 root root 0 Nov 12 19:19 autogroup
-r--------. 1 root root 0 Nov 12 19:19 auxv
-r--r--r--. 1 root root 0 Nov 12 19:19 cgroup
--w-------. 1 root root 0 Nov 12 19:19 clear_refs
-r--r--r--. 1 root root 0 Nov 12 19:19 cmdline
-rw-r--r--. 1 root root 0 Nov 12 19:19 comm
-rw-r--r--. 1 root root 0 Nov 12 19:19 coredump_filter
-r--r--r--. 1 root root 0 Nov 12 19:19 cpuset
lrwxrwxrwx. 1 root root 0 Nov 12 19:19 cwd -> /root
-r--------. 1 root root 0 Nov 12 19:19 environ
lrwxrwxrwx. 1 root root 0 Nov 12 19:19 exe -> /usr/local/nginx/sbin/nginx
dr-x------. 2 root root 0 Nov 12 19:19 fd
dr-x------. 2 root root 0 Nov 12 19:19 fdinfo
We can see that exe -> /usr/local/nginx/sbin/nginx
. The exe
symbolic link points to the path /usr/local/nginx/sbin/nginx
, which is the location of the nginx process. The meaning of the files (directories) in this directory is as follows:
cwd
is a symbolic link to the running directory of the process.exe
is a symbolic link to the absolute path of the executed program.cmdline
contains the command line command when the program is running.environ
records the environment variables during the process execution.fd
contains symbolic links to the files opened or used by the process.This article is partially referenced from: Linux查看进程运行的完整路径方法
I come from China and I am a freelancer. I specialize in Linux operations, PHP, Golang, and front-end development. I have developed open-source projects such as Zdir, ImgURL, CCAA, and OneNav.