Skip to main content

2000

SGID (Set Group ID)

SGID grants execution or directory access with group privileges inheritance. On files, it runs with the files **group permissions; on directories, **new files inherit the group instead of the users default group.

For WordPress servers, SGID is occasionally useful for controlled shared-group workflows, but dangerous if misapplied on web-writable paths.

Objective

Understand how **SGID (2000) works for files and directories, identify safe use, and enforce security in a WordPress VPS context.

Core Concept

SGID bit meaning

DigitMeaning
2Enable SGID bit

General Pattern

2xyz   # SGID + regular permission xyz

Common example:

2755   # SGID + 755

Effects

TargetBehavior
FileExecutes with group privileges
DirectoryFiles created inside inherit directory’s group

Syntax Formula

Apply SGID

chmod 2xxx <file/dir>

Remove SGID

chmod g-s <file/dir>

Check SGID files/dirs

find / -perm -2000 2>/dev/null

Permission Indicator (ls Output)

File with SGID

-rwxr-sr-x

Directory with SGID

drwxr-sr-x

Note the **s replacing **x in group field.

Practical Examples

Example 1: SGID on directory for shared team folder

mkdir /srv/project
chgrp developers /srv/project
chmod 2775 /srv/project
ls -ld /srv/project

Expected:

drwxrwsr-x ... /srv/project

Example 2: SGID on executable script

chmod 2755 /usr/local/bin/maint-script
ls -l /usr/local/bin/maint-script

Expected:

-rwxr-sr-x ... maint-script

WordPress-Relevant Usage

Use CaseRecommendation
Shared deployment folder for dev/sysadmin✅ Valid
Shared log directory for controlled team✅ Valid
Public web directories (wp-content/uploads)❌ Never
Plugin/theme directories❌ Never
DB or backup folders❌ Avoid: risk privilege abuse

**WP rule: SGID should **never touch writable web directories.

WordPress VPS Scenarios

ScenarioAction
Shared maintenance scripts between admin usersOK with SGID
Deploy pipeline generating files in shared groupOK
Shared editing inside /var/www or /home/{userPrefer sudo + git
Uploads/media directoryProhibited for SGID
Nginx/OLS + PHP user group mixUse chown -R + correct groups instead

Security Considerations

Risks

RiskDescription
Privilege escalationIf group has high privilege roles
Group takeoverFiles inherit wrong group
Web exploitationAttackers gain group escalated write access

Audit

find / -perm -2000 2>/dev/null

Remove

chmod g-s /path

Prevention

  • Limit to admin-controlled, non-public dirs
  • Never expose to web-write paths (uploads, cache folders, tmp)

Best Practices

PracticeReason
Use SGID only for internal controlled automationSecurity
Use sudoers for admin escalationLogged + safer
Keep /var/www user-isolatedHardens WP environment
Prefer group-based ACLs for team accessMore control

Example ACL:

setfacl -m g:dev:rwx /srv/project

WP Security Quick Audit

Scan only WP dirs:

find /home -perm -2000

If found in:

  • wp-content
  • plugin/theme directory
  • user home under web folders

remove immediately.

chmod g-s <path>

Go-Live Checklist

TaskDone
No SGID on public directories
Only trusted team groups allowed
Sudoers rules defined
WP user isolation enforced
Weekly SGID audit in maintenance cron

Troubleshooting Matrix

SymptomCauseSolution
Unexpected group for new filesSGID dir setchmod g-s dir
Unauthorized shared accessToo permissive groupFix perms/ACL
Exec inherits wrong groupBad SGID on scriptRemove SGID + sudoer

Quick Lab

Create group collaboration folder

groupadd webteam
mkdir /mnt/wpshare
chgrp webteam /mnt/wpshare
chmod 2775 /mnt/wpshare

Test:

  • User creates file inherits webteam group

Cheat Sheet

CommandPurpose
chmod 2xxxSet SGID
chmod g-sRemove SGID
find / -perm -2000Scan for SGID
ls -lCheck for s in group exec bit

Mini-Quiz

QuestionAnswer
What does 2xxx enable?SGID
File vs dir behavior?File = exec as group; Dir = inherit group
Safe for wp-content?No
Indicator in ls -l?s in group bit