A few days ago, a friend asked me to analyze a high CPU usage process on the server and determine if it was compromised. It is essential to find the process path before analyzing the process. In this article, I will share the methods to view process paths in Linux.

Using the ps command to view processes

The ps command is used to report the current status of processes in the system. First, we use the ps command (ps -ef) to find the PID of the nginx process.

[root@sharktech ~]# ps -ef|grep 'nginx'
root     10837     1  0 Nov01 ?        00:00:00 nginx: master process nginx
www      10838 10837 24 Nov01 ?        2-17:32:59 nginx: worker process
www      10839 10837  0 Nov01 ?        00:00:36 nginx: cache manager process
root     10939 10879  0 19:15 pts/1    00:00:00 grep --color=auto nginx

We can see that the PID of the nginx master process is 10837. We need to record this for future use.

Viewing the process path

When starting a process in Linux, the system creates a folder in /proc with the name of the PID. In this folder, there is information about our process, including a file named exe that records the absolute path. We can use the ll or ls -l command to view it. In the previous step, we obtained the nginx process ID as 10837. Let's use the ls command to see what's inside.

[root@sharktech ~]# ls -l /proc/10837
total 0
dr-xr-xr-x. 2 root root 0 Nov 12 19:19 attr
-rw-r--r--. 1 root root 0 Nov 12 19:19 autogroup
-r--------. 1 root root 0 Nov 12 19:19 auxv
-r--r--r--. 1 root root 0 Nov 12 19:19 cgroup
--w-------. 1 root root 0 Nov 12 19:19 clear_refs
-r--r--r--. 1 root root 0 Nov 12 19:19 cmdline
-rw-r--r--. 1 root root 0 Nov 12 19:19 comm
-rw-r--r--. 1 root root 0 Nov 12 19:19 coredump_filter
-r--r--r--. 1 root root 0 Nov 12 19:19 cpuset
lrwxrwxrwx. 1 root root 0 Nov 12 19:19 cwd -> /root
-r--------. 1 root root 0 Nov 12 19:19 environ
lrwxrwxrwx. 1 root root 0 Nov 12 19:19 exe -> /usr/local/nginx/sbin/nginx
dr-x------. 2 root root 0 Nov 12 19:19 fd
dr-x------. 2 root root 0 Nov 12 19:19 fdinfo

We can see that exe -> /usr/local/nginx/sbin/nginx. The exe symbolic link points to the path /usr/local/nginx/sbin/nginx, which is the location of the nginx process. The meaning of the files (directories) in this directory is as follows:

• cwd is a symbolic link to the running directory of the process.
• exe is a symbolic link to the absolute path of the executed program.
• cmdline contains the command line command when the program is running.
• environ records the environment variables during the process execution.
• fd contains symbolic links to the files opened or used by the process.

This article is partially referenced from: Linux查看进程运行的完整路径方法