Which script from /etc/init.d/ started the process

daemoninitprocess

Let's say we have a PID of a process and we know that it was started by init during startup. How do we find the script name that started it?

One way is to run grep $PROCESS_NAME /etc/init.d/*, but that solution is neither bulletproof nor very elegant.

Another one would be to run service --status-all and there is a good chance that the PID will be returned by one of the services, but that's even less elegant than the previous solution

EDIT:

The OS is RedHat/Ubuntu.

Let's suppose we have sshd running with PID 2083 like so:

UID        PID  PPID  C STIME TTY          TIME CMD
root      2083     1  0  2012 ?        00:00:00 /usr/sbin/sshd -D

The parent of it is init and I guess that it was started with the command service sshd start during bootup, but if we have something that cannot be easily guessed, for example a convoluted startup command or because of an obfuscated /etc/init.d/somedeamon script – how do we find the somedeamon script, knowing only the PID?

Best Answer

An easy way to follow the PPID chain backwards is with the pstree tool:

pstree -p PID

This will show all the parent processes of the specified PID, for example:

$ pstree 42284
-+= 00001 root /sbin/launchd
 \-+= 00199 jack /sbin/launchd
   \-+= 00254 jack /Applications/iTerm.app/Contents/MacOS/iTerm -psn_0_90134
     \-+= 00309 root login -fp jack
       \-+= 00310 jack -bash
         \--= 42284 jack vim site.txt
Related Question