XZ

Xiao Z's blog

Learn, build, share

How to Check the Full Path of a Linux Process

linux process pathcheck process executablelinux ps commandproc filesystemfind process location
Published·Modified·

A few days ago, a colleague asked me to analyze why a process on their server was consuming a lot of CPU, suspecting it might be compromised. Before analyzing the process, finding its path is an essential step. This article shares methods to check the process path in Linux.

Check Process with the ps Command

The ps command reports the current status of processes in the system. First, use the ps command (ps -ef) to find the PID of the nginx process.

[root@sharktech ~]# ps -ef|grep 'nginx'
root     10837     1  0 Nov01 ?        00:00:00 nginx: master process nginx
www      10838 10837 24 Nov01 ?        2-17:32:59 nginx: worker process
www      10839 10837  0 Nov01 ?        00:00:36 nginx: cache manager process
root     10939 10879  0 19:15 pts/1    00:00:00 grep --color=auto nginx

We can see that the PID of the nginx master process is 10837. Record this number as it will be needed later.

Check the Process Path

When Linux starts a process, the system creates a folder named after the PID under /proc. This folder contains information about the process, including a file named exe which records the absolute path. You can view it using the ll or ls -l command.

In the previous step, we obtained the nginx process ID as 10837. Let's use the ls command to see what's inside.

[root@sharktech ~]# ls -l /proc/10837
total 0
dr-xr-xr-x. 2 root root 0 Nov 12 19:19 attr
-rw-r--r--. 1 root root 0 Nov 12 19:19 autogroup
-r--------. 1 root root 0 Nov 12 19:19 auxv
-r--r--r--. 1 root root 0 Nov 12 19:19 cgroup
--w-------. 1 root root 0 Nov 12 19:19 clear_refs
-r--r--r--. 1 root root 0 Nov 12 19:19 cmdline
-rw-r--r--. 1 root root 0 Nov 12 19:19 comm
-rw-r--r--. 1 root root 0 Nov 12 19:19 coredump_filter
-r--r--r--. 1 root root 0 Nov 12 19:19 cpuset
lrwxrwxrwx. 1 root root 0 Nov 12 19:19 cwd -> /root
-r--------. 1 root root 0 Nov 12 19:19 environ
lrwxrwxrwx. 1 root root 0 Nov 12 19:19 exe -> /usr/local/nginx/sbin/nginx
dr-x------. 2 root root 0 Nov 12 19:19 fd
dr-x------. 2 root root 0 Nov 12 19:19 fdinfo

Here we can see exe -> /usr/local/nginx/sbin/nginx. The path pointed to by the exe symbolic link, /usr/local/nginx/sbin/nginx, is the actual path of the nginx process.

The meanings of the files (or folders) in this directory are as follows:

  • cwd: A symbolic link to the directory where the process is running.
  • exe: A symbolic link to the absolute path of the executable program.
  • cmdline: The command-line arguments entered when the program was run.
  • environ: Records the environment variables when the process was running.
  • fd: A directory containing symbolic links to files opened or used by the process.

Some content in this article is referenced from: Linux Check Process Running Full Path Method