1000
Sticky Bit
Sticky Bit restricts deletion inside a directory: only the file owner (or root) can delete or rename a file, even if the directory is world-writable. It is **directory-focused (file SUID equivalent does nothing today).
Critical for shared writable directories; essential for /tmp. In WordPress, useful only in specific protected shared-cache contexts never general WP content.
Objective
Learn the 1000 sticky bit permission, its behavior, use cases, and safe application on WordPress VPS.
Core Concept
Meaning of first digit
| Digit | Meaning |
|---|---|
| 1 | Enable sticky bit |
Pattern
1xyz # Sticky + regular permission xyz
Typical example:
1777 # Sticky + 777
Key Behavior (directories)
- Directory writable by many users
- Prevents users from deleting each other's files
Syntax Formula
Set sticky bit
chmod 1xxx <directory>
Shortcut:
chmod +t <directory>
Remove sticky bit
chmod -t <directory>
Permission Indicator
ls -ld <directory>
Expected flag:
drwxrwxrwt
t replaces **x for others when sticky bit enabled.
Real Examples & Expected Output
Set sticky on shared dir
mkdir /srv/shared
chmod 1777 /srv/shared
ls -ld /srv/shared
Output:
drwxrwxrwt ... /srv/shared
Remove sticky bit
chmod -t /srv/shared
WordPress-Relevant Usage
| Scenario | Valid | Notes |
|---|---|---|
System /tmp | ✅ Default, mandatory | |
| Dedicated shared cache/tmp outside public web root | ✅ With strict group model | |
| wp-content/uploads | ❌ Never | |
| wp-content/cache | ❌ Not recommended | |
| Shared SFTP/Web designer workspace | ✅ If isolated directory tree | |
| Public writable folder by web apps | ✅ With caution & access rules |
WordPress VPS Scenarios
| Example | Guidance |
|---|---|
Multi-developer folder /srv/wpshare | Allowed with 1770 + ACL + sticky |
| WP uploads | Never, exposure + overwrite risk |
| PHP session directory | Sticky bit required (system default) |
| Cloud panel shared public folder | Only if OS sets it by default |
**Rule: Sticky bit protects files from each other, not from attackers.
Security Considerations
Benefits
| Benefit | Description |
|---|---|
| Protects user files in shared dirs | Prevents cross-deletion |
Mandatory for /tmp | PHP/session security |
Risks
| Risk | Root cause |
|---|---|
| Used on wrong directories | Web-writable privilege problems |
| False security | Protects only from deletion, not read/write |
Audit
find / -type d -perm -1000 2>/dev/null
Best Practices
| Recommendation | Reason |
|---|---|
| Use sticky only in shared writable dirs | Correct security model |
| Never apply inside wp-content | Attack surface increase |
| For WP cache & uploads use strict owner perms | 755/750 & correct user |
| Use ACLs instead of sticky for team collaboration | Granular control |
ACL Example:
setfacl -m u:dev:rwx /srv/shared
WP-Specific Quick Audit
Scan wp tree:
find /home -type d -perm -1000
If appears under:
/wp-content/uploads/wp-content/cache- Theme/plugin folders
Remove and correct permissions.
Go-Live Checklist
| Item | ✅ |
|---|---|
Sticky only in /tmp & managed shared dirs | ✅ |
| No sticky inside public WP path | ✅ |
| ACLs or sudo rules for shared access | ✅ |
| Verify PHP tmp path sticky set | ✅ |
Troubleshooting Matrix
| Problem | Cause | Fix |
|---|---|---|
| Cannot delete others' files | Sticky enabled | chmod -t dir |
| Users overwriting each other | Wrong perms, no ACL | Fix ACL + directory perms |
| Sticky used on wp-content | Misuse | Remove sticky + reset perms |
Quick Lab
Create sticky-protected collaboration directory
groupadd wpteam
mkdir /srv/wpteam
chgrp wpteam /srv/wpteam
chmod 1770 /srv/wpteam
ls -ld /srv/wpteam
Expected:
drwxrwx--T ... /srv/wpteam
Cheat Sheet
| Command | Purpose |
|---|---|
| chmod 1xxx dir | Sticky + permissions |
| chmod +t/-t dir | Add/remove sticky bit |
| find / -perm -1000 | Audit sticky dirs |
| ls -ld dir | Check for t bit |
Mini-Quiz
| Question | Answer |
|---|---|
| Purpose of sticky bit? | Prevent cross-user file deletion |
| Where mandatory? | /tmp, session dirs |
Safe for uploads/? | No |
Indicator in ls -ld? | t in other exec bit |