Get the cwd of a process?

patrick gibblertron at gmail.com
Thu Oct 29 21:22:57 UTC 2009


Is there any way to get the cwd of a process? We had the situation
recently where a perl script was called from an infiltrated Wordpress
installation, but we weren't able to determine which of the hundreds
of Wordpress blogs was the source. The ps listing showed:

www             63968  2.4  0.2 26092  5008  ??  Rs    5:36PM
93:10.67 ./mrf.pl (perl5.8.8)

The procfs entry was no help because it does not seem to provide a
cwd. The cmdline entry just showed "/usr/local/bin/perl ./mrf.pl".

We had to kill the process, and who ever was responsible did a good
job of hiding their tracks. But should this happen again (and we
expect it will), we'd like to be able to find the source.

Patrick


More information about the freebsd-questions mailing list