web analytics

Blog

/proc explained

Tags: /procLinuxprocess

Published on: July 22, 2014 by George K.

/proc explained

Scenario:

/proc explained

/proc is not a real file system, it is a virtual file system. The /proc directory contains a stranger type files: virtual files.

These files are listed, but don’t actually exist on disk; the operating system creates them on the fly. Its zero-sized files are neither binary nor text, yet you can examine and display them. Most virtual files always have a current timestamp, which indicates that they are constantly being kept up to date. The /proc directory itself is created every time you boot your box. You need to work as root to be able to examine the whole directory. Some of the files (such as the process-related ones) are owned by the user who launched it. Although almost all the files are read-only, a few writeable ones (notably in /proc/sys) allow you to change kernel parameters.

/proc Directories with names as numbers
[/proc]# ls -al | more
total 8
dr-xr-xr-x    5 root            root                      0 May 16 07:13 1/
dr-xr-xr-x    5 root            root                      0 May 19 00:34 1020087/
dr-xr-xr-x    5 root            root                      0 Jun  4 22:52 1020394/
dr-xr-xr-x    5 root            root                      0 Jun  3 00:15 1026312/
dr-xr-xr-x    5 root            root                      0 Jun  3 00:15 1026318/
dr-xr-xr-x    5 root            root                      0 May  5 14:33 1040877/
dr-xr-xr-x    5 root            root                      0 Apr  1 17:34 11/
dr-xr-xr-x    5 root            root                      0 May 13 05:15 117400/

As you can see from the above example, the  folder /proc contains directories with numbers as name. These numbers represents the process ids, the files inside this numbered directory corresponds to the process with that particular PID say 1020087.

root@server[/proc/1020087]# ls
./   auxv     coredump_filter  cwd@     exe@  fdinfo/  limits    maps  mounts      numa_maps  oom_score  schedstat  stack  statm   task/ cmdline 

Following are the important files located under each numbered directory (for each process):

cmdline – command line of the binary being executed

[/proc/1020087]# cat cmdline
 
/bin/sh/usr/bin/mysqld_safe—datadir=/var/lib/mysql–pid-file=/var/lib/mysql/server.com.pid

environ – environment variables.
root@xxx [/proc/1020087]# cat environPATH=/sbin:/usr/sbin:/bin:/usr/bin://binPWD=/usrSHLVL=1RESTARTSRV=1RESTARTSRV_CHECKMODE_HEADER=1OLDPWD=/_=/usr/bin/mysqld_safe

fd – Contains the file descriptors which is linked to the appropriate files. 

[/proc/1020087]# ls -l fddr-x—— 2 root root  0 Jun  5 00:54 ./
dr-xr-xr-x 5 root root  0 May 19 00:34 ../
lr-x—— 1 root root 64 Jun  5 01:00 0 -> /dev/null
l-wx—— 1 root root 64 Jun  5 01:00 1 -> /dev/null
l-wx—— 1 root root 64 Jun  5 01:00 2 -> /dev/null
lr-x—— 1 root root 64 Jun  5 01:00 255 -> /usr/bin/mysqld_safe*
cwd – Link to current working directory of the process. 
[/proc/1020087]# ls -l cwd
lrwxrwxrwx 1 root root 0 Jun  5 00:49 cwd -> /usr/

exe – Link to executable of the process. 

ls -l exe
lrwxrwxrwx 1 root root 0 Jun  5 00:33 exe -> /bin/bash*
root – Link to the root directory of the process.
ls -l root
lrwxrwxrwx 1 root root 0 Jun 5 00:49 root -> //
A wise use of all these parameters will help you to identify details of the process and its quite helpful during attacks.
Some virtual files provide hardware information, such as /proc/cpuinfo, /proc/meminfo, and /proc/interrupts. Others give file-related info, such as /proc/filesystems or /proc/partitions. The files under /proc/sys are related to kernel configuration parameters, as we’ll see.
The cat /proc/meminfo command might bring up something like this:
# cat /proc/meminfo

MemTotal:     24625332 kB

MemFree:       1135328 kB

Buffers:        531228 kB

Cached:       15162364 kB

SwapCached:         52 kB

Category : Linux

George K.

George K.

George started his career in web hosting and Linux technical support in the year 2004 and is with SupportSages since 2009. He has keen interest in server optimizations, custom security solutions, hacked server recovery, cyber forensic and high availability fail over system design and implementation. George loves long drives and is passionate about art and literature.

You may also read:

Comments

Add new commentSIGN IN

Let's Connect

Get new updates

Categories

$0.000 items