From owner-freebsd-questions@FreeBSD.ORG  Thu Oct 29 21:22:57 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D05A6106568B
	for <questions@freebsd.org>; Thu, 29 Oct 2009 21:22:57 +0000 (UTC)
	(envelope-from gibblertron@gmail.com)
Received: from mail-pz0-f202.google.com (mail-pz0-f202.google.com
	[209.85.222.202])
	by mx1.freebsd.org (Postfix) with ESMTP id AC71A8FC16
	for <questions@freebsd.org>; Thu, 29 Oct 2009 21:22:57 +0000 (UTC)
Received: by pzk40 with SMTP id 40so1500072pzk.7
	for <questions@freebsd.org>; Thu, 29 Oct 2009 14:22:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:received:date:message-id:subject
	:from:to:content-type;
	bh=Cww/K3zKcY+G/MFKD89REtD+eg3F68yKXB1Jk/7Y1eE=;
	b=n17qOgu67oDQclz7xkkr52kcdbQabiyuOO5ruQQJcnmEAAdQ3DzcAjOBarYoNNcdVU
	ID6kxw5nlxEg1Lcwqq1OC/hMP4yEETWxpZC7pDOgVn97MTmhR6lX6gwuYWZ4szvyvOJh
	jGHgj1WRYbI/mQM7IN+1qclCZDGynSnQTI7Wk=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:date:message-id:subject:from:to:content-type;
	b=gqTb27hLvXNvQbub6wzjXoDeGdrJ/squd5sLHBcGKIBGUyVTMZPBKdgrFmj4L5vyjA
	hOtohcYs1mOHpKgzWprKrpMEZLSwz65wvDeahbDQ/1/gAOromZw0bpv7gCoTOAtsEQ/b
	9BiEEUHa+Pe/gB9Prseb5WtjU8qvmeTEnOAp4=
MIME-Version: 1.0
Received: by 10.142.9.41 with SMTP id 41mr61739wfi.122.1256851377234; Thu, 29 
	Oct 2009 14:22:57 -0700 (PDT)
Date: Thu, 29 Oct 2009 14:22:57 -0700
Message-ID: <b043a4850910291422u2d37344tf46b5d46691bb48a@mail.gmail.com>
From: patrick <gibblertron@gmail.com>
To: FreeBSD Questions <questions@freebsd.org>
Content-Type: text/plain; charset=ISO-8859-1
Cc: 
Subject: Get the cwd of a process?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Oct 2009 21:22:57 -0000

Is there any way to get the cwd of a process? We had the situation
recently where a perl script was called from an infiltrated Wordpress
installation, but we weren't able to determine which of the hundreds
of Wordpress blogs was the source. The ps listing showed:

www             63968  2.4  0.2 26092  5008  ??  Rs    5:36PM
93:10.67 ./mrf.pl (perl5.8.8)

The procfs entry was no help because it does not seem to provide a
cwd. The cmdline entry just showed "/usr/local/bin/perl ./mrf.pl".

We had to kill the process, and who ever was responsible did a good
job of hiding their tracks. But should this happen again (and we
expect it will), we'd like to be able to find the source.

Patrick