2744
SGID + 744
2744 combines:
- SGID (
2) processes run or files created inherit directory group - Owner:
rwx - Group:
r-- - Others:
r--
Effect: only the owner can execute/write, group and others can only read, and the SGID inheritance applies.
This creates a **read-share, controlled owner execution environment.
Rare in WordPress systems. Used when a single trusted user executes files but the group needs read-only access, with group inheritance on new files.
Objective
Understand 2744 and enforce correct usage in a WordPress VPS.
Concept Breakdown
Octal structure
| Digit | Meaning |
|---|---|
| 2 | SGID enabled |
| 7 | Owner rwx |
| 4 | Group r-- |
| 4 | Others r-- |
Behavior
| Target | Result |
|---|---|
| File (executable) | Owner executes w/ group privilege if applicable |
| Directory | New files inherit group |
Syntax Formula
Apply SGID + 744
chmod 2744 <file|directory>
Remove SGID
chmod g-s <file|directory>
Verify
ls -l <file|directory>
Permission Indicator
File:
-rwxr--r-- -> normal
-rwxr-Sr-- -> if no execute for group (common for 744)
Directory:
drwxr-Sr-- # SGID on directory
Key: **S in the group execute position because group exec is missing.
Practical Example & Output
Create secure shared-read folder:
groupadd seo-team
mkdir /srv/docs
chgrp seo-team /srv/docs
chmod 2744 /srv/docs
ls -ld /srv/docs
Expected:
drwxr-Sr-- ... /srv/docs
Meaning: owner has full control, team can read, SGID applies for group inheritance.
WordPress-Relevant Usage
| Scenario | Valid | Notes |
|---|---|---|
| Shared docs/config folder for devops | ✅ If outside web root | |
| Read-only internal scripts | ✅ If not web-exposed | |
| wp-content/uploads | ❌ Breaks upload flow | |
| Plugin/theme directories | ❌ Unusable, insecure pattern | |
| User home WP dirs | ❌ Avoid SGID in production WP tree |
WP Production Scenarios
| Use Case | Guidance |
|---|---|
| Internal control scripts repo | Possible if group read-only needed |
| Shared read folder for ops | Fine outside web root |
| WP core, theme, plugin dirs | Do not use |
| Public file area | Prohibited |
Security Considerations
Benefits
| Benefit | Reason |
|---|---|
| Shared visibility | Team can audit scripts |
| Owner-only write | Integrity preserved |
| Group inheritance | Consistent group tagging |
Risks
| Problem | Cause |
|---|---|
| Wrong perms break WP | WP needs write in content dirs |
| SGID in web tree | Escalation potential |
| Misplaced trust | Read access leaks sensitive scripts |
Best Practices
| Practice | Reason |
|---|---|
| Use only for internal operational directories | Prevent WP conflict |
Avoid in /home/*/public_html | Attack surface reduction |
| Prefer Git + correct users | Clean privilege model |
| Pair with ACLs for exceptions | Flexibility |
ACL example:
setfacl -m g:seo-team:r /srv/docs
WordPress Audit
Check for SGID in WP paths:
find /home -perm -2000
If 2744 appears:
chmod g-s <dir>
chmod 744 <dir>
Go-Live Checklist
| Requirement | ✅ |
|---|---|
| Only internal/shared doc dirs using 2744 | ✅ |
| No SGID under WP tree | ✅ |
| ACLs/sudo where needed | ✅ |
| Weekly audit scheduled | ✅ |
Troubleshooting Matrix
| Symptom | Cause | Fix |
|---|---|---|
| Users can't modify | Mode is 2744 | Owner changes or use ACL |
| WP media upload fails | Misapplied SGID | Remove + set 755/750 |
| Team cannot run script | Exec only for owner | Use sudo or ACL |
Quick Lab
Shared read-only directory test:
mkdir /srv/readshare
groupadd readers
chgrp readers /srv/readshare
chmod 2744 /srv/readshare
Create file:
touch /srv/readshare/info.txt
Verify:
ls -ld /srv/readshare
Expect group read only, SGID inheritance set.
Cheat Sheet
| Command | Purpose |
|---|---|
| chmod 2744 | SGID + 744 |
| chmod g-s | Remove SGID |
| find / -perm -2000 | Audit SGID |
| ls -l | Spot S in group exec slot |
Mini-Quiz
| Question | Answer |
|---|---|
| Meaning of 2 in 2744? | SGID |
| Group permission? | Read only |
| Safe in wp-content? | No |
| Indicator? | S in group execute bit |