1755
Sticky Bit + 755
1755 combines:
- Sticky bit (
1): Only file owner/root can delete in the directory - Standard **755 permissions:
- Owner
rwx - Group
r-x - Others
r-x
Result: directory or file executable for everyone, but **deletion inside is restricted if directory sticky-enabled.
Used mainly for **shared writable directories rarely needed in typical WordPress setups.
Objective
Understand 1755 behavior, safe usage guidelines, and when to avoid it in WordPress environments.
Concept Breakdown
Octal structure
| Digit | Meaning |
|---|---|
| 1 | Sticky bit |
| 7 | Owner rwx |
| 5 | Group r-x |
| 5 | Others r-x |
Effects
| Context | Behavior |
|---|---|
| Directory | Users cannot delete others' files |
| File | Sticky bit mostly irrelevant on files |
Syntax Formula
Set sticky + 755
chmod 1755 <directory>
Remove sticky bit
chmod -t <directory>
Permission Indicator
In ls -ld:
drwxr-xr-t
t on **others execute position indicates sticky bit.
Practical Example with Output
Create shared directory w/ sticky bit
mkdir /srv/shared-cache
chmod 1755 /srv/shared-cache
ls -ld /srv/shared-cache
Expected:
drwxr-xr-t ... /srv/shared-cache
WordPress-Relevant Usage
| Scenario | Valid | Notes |
|---|---|---|
PHP /tmp directory | ✅ OS defaults handle this | |
| Shared developer scratch dir | ✅ If controlled access | |
| WP uploads directory | ❌ Never | |
| WP cache directory | ❌ Avoid | |
| Public HTTP directories | ❌ Attack surface |
Practical WP Server Scenarios
| Case | Guidance |
|---|---|
Shared /srv/teamzone for devops | Allowed w/ ACLs |
| PHP temp/session locations | Kernel default only |
| wp-content tree | Must avoid |
| /tmp for apps | Usually managed by system — do not override |
Security Considerations
Risks
| Risk | Reason |
|---|---|
| Used in web directories | Attackers can place files + persistence |
| Misunderstanding sticky | Doesn’t prevent read/write abuse |
| Shared hosting behavior | WP security model breaks |
Audit
find / -perm -1000 2>/dev/null
Remove
chmod -t <path>
Best Practices
| Rule | Reason |
|---|---|
| Use sticky only on shared dirs | Protect cross-user deletes |
| Never on WordPress data dirs | Upload path risk |
| Prefer ACLs & sudo policies | Granular control |
Let OS handle /tmp perms | Secure defaults |
WordPress Audit Commands
Scan WP tree:
find /home -type d -perm -1000
Expected result: blank
Found?
chmod -t <dir>
Go-Live Checklist
| Item | ✅ |
|---|---|
| Sticky only on intended directories | ✅ |
No sticky under /home/*/public_html | ✅ |
| ACLs enforced for team dirs | ✅ |
No sticky override for /tmp | ✅ |
| Weekly check configured | ✅ |
Troubleshooting Matrix
| Problem | Cause | Fix |
|---|---|---|
| Cannot delete files in dir | Sticky bit set | chmod -t |
| WP scans warn about perms | Sticky bit misused | Remove + reset perms |
| Web user persistence risk | Sticky on web dirs | Remove + isolate |
Quick Lab
Create safe sticky directory for dev team:
groupadd wpdev
mkdir /srv/wpdev-tmp
chgrp wpdev /srv/wpdev-tmp
chmod 1775 /srv/wpdev-tmp
ls -ld /srv/wpdev-tmp
Expected:
drwxrwxr-t ... /srv/wpdev-tmp
Cheat Sheet
| Command | Description |
|---|---|
| chmod 1755 | Sticky + 755 |
| chmod -t | Remove sticky |
| find / -perm -1000 | Audit sticky dirs |
| ls -ld | Check t bit |
Mini Quiz
| Question | Answer |
|---|---|
What does 1 in 1755 do? | Sticky bit |
| Safe for wp-content? | No |
| Indicator in ls? | t on other execute bit |
| Primary purpose? | Prevent cross-user deletion |