Drill: Explore the /proc Filesystem for a Process

Goal

Read /proc/PID entries to inspect a running process's command line, environment, file descriptors, memory maps, and status.

Setup

• Linux system with procfs mounted at /proc
• A running process to inspect (use $$ for your current shell)

Commands

Read the command line of a process:

cat /proc/<PID>/cmdline | tr '\0' ' ' ; echo

View the process environment variables:

cat /proc/<PID>/environ | tr '\0' '\n' | head -20

Check process status (state, memory, threads):

cat /proc/<PID>/status

List open file descriptors:

ls -la /proc/<PID>/fd/

Count open file descriptors:

ls /proc/<PID>/fd/ | wc -l

View memory mappings:

cat /proc/<PID>/maps | head -20

Check resource limits:

cat /proc/<PID>/limits

Read the process's current working directory:

readlink /proc/<PID>/cwd

Read the actual binary being executed:

readlink /proc/<PID>/exe

What to Look For

• status shows VmRSS (actual memory usage) and Threads count
• fd/ symlinks show where each file descriptor points (files, sockets, pipes)
• environ reveals the exact environment the process sees, useful for debugging config
• limits shows ulimits in effect, Max open files is a common bottleneck

Common Mistakes

• Forgetting to translate null bytes in cmdline and environ (fields are null-delimited)
• Trying to read /proc entries of another user's process without root
• Confusing VmSize (virtual) with VmRSS (resident) memory in status
• Not realizing /proc entries disappear when the process exits

Cleanup

No cleanup needed. /proc is a virtual read-only filesystem.