0

I am trying to list all of the running processes in Linux that were run from executables that no longer exist on disk.

From what I have had a looked at, the /proc filesystem contains the /proc/[pid]/exe symbolic link. But this is only when the executable exists.

Is there a way of doing this?

DesiBoyz
  • 130
  • 2
  • 14

1 Answers1

1

Depending on the kernel (or OS? - mine is 3.16.7-21-desktop/OpenSUSE 13.2) it might be really simple since the link source is renamed automatically when the original exe is removed - a ' (deleted)' suffix is appended to it:

$ ls -ld /proc/16415/exe
lrwxrwxrwx 1 dancorn at 0 May 25 10:48 /proc/16415/exe -> /tmp/sleep (deleted)

For older versions where the symlink is not renamed, if it is also not removed (it doesn't have to be) it would just be a broken symlink, also relatively easy to check:

$ python
>>> import os
>>> os.path.realpath('/proc/16415/exe')
'/tmp/sleep (deleted)'
>>> os.path.exists(os.path.realpath('/proc/16415/exe'))
False
Dan Cornilescu
  • 39,470
  • 12
  • 57
  • 97
  • > no longer exist on disk. < `/tmp` is usually not on disk, so technically... ;) – myaut May 25 '15 at 15:18
  • I just used /tmp to store a copy of the sleep executable to be deleted while it's running (to repro your case): cp -a /usr/bin/sleep /tmp; /tmp/sleep 3000 &; ps -ef | grep sleep; rm /tmp/sleep – Dan Cornilescu May 25 '15 at 15:22
  • That was a joke. OP incorrectly states that _deleted_ files are _no longer exist on disk_, but files in `/tmp` may never be written on disk even if they are not deleted. – myaut May 25 '15 at 15:24
  • a symlink can happily exist while pointing to non-existent destinations - this will be the case with the /proc/[pid]/exe symlink once the real exe it points to dissapears. – Dan Cornilescu May 25 '15 at 15:26