Get the cwd of a process?

Dan Nelson dnelson at
Fri Oct 30 04:24:34 UTC 2009

In the last episode (Oct 29), patrick said:
> Is there any way to get the cwd of a process? We had the situation
> recently where a perl script was called from an infiltrated Wordpress
> installation, but we weren't able to determine which of the hundreds of
> Wordpress blogs was the source.  The ps listing showed:
> www             63968  2.4  0.2 26092  5008  ??  Rs    5:36PM 93:10.67 ./ (perl5.8.8)
> The procfs entry was no help because it does not seem to provide a cwd. 
> The cmdline entry just showed "/usr/local/bin/perl ./".
> We had to kill the process, and who ever was responsible did a good job of
> hiding their tracks.  But should this happen again (and we expect it
> will), we'd like to be able to find the source.

/usr/bin/fstat will tell you the inode of the cwd, and you can use "find
 -inum" to locate it.  You can also install lsof from ports, which will dig
into the kernel and try and fetch the name itself:

(dan at dan.21) /home/dan> fstat -p $$ | grep wd
dan      zsh        77611   wd /        474264 drwxr-xr-x     533  r
(dan at dan.21) /home/dan> lsof -p $$ -a -d cwd
zsh     77611  dan  cwd   VDIR 60,504234031      533 474264 /usr/home/dan

	Dan Nelson
	dnelson at

More information about the freebsd-questions mailing list