I am trying to list all of the running processes in Linux that were run from executables that no longer exist on disk.
From what I have had a looked at, the /proc filesystem contains the /proc/[pid]/exe symbolic link. But this is only when the executable exists.
Is there a way of doing this?
Depending on the kernel (or OS? - mine is 3.16.7-21-desktop/OpenSUSE 13.2) it might be really simple since the link source is renamed automatically when the original exe is removed - a ' (deleted)' suffix is appended to it:
$ ls -ld /proc/16415/exe
lrwxrwxrwx 1 dancorn at 0 May 25 10:48 /proc/16415/exe -> /tmp/sleep (deleted)
For older versions where the symlink is not renamed, if it is also not removed (it doesn't have to be) it would just be a broken symlink, also relatively easy to check:
$ python
>>> import os
>>> os.path.realpath('/proc/16415/exe')
'/tmp/sleep (deleted)'
>>> os.path.exists(os.path.realpath('/proc/16415/exe'))
False