2750
SGID + 750
2750 combines:
- **SGID (
2) files created in directory inherit the directorys group; executables run with group privileges - Owner:
rwx - Group:
r-x - Others:
--
Result:
Owner has full control, group can read/execute/inherit group, others have no access.
Useful in controlled team environments, not in public WordPress paths.
Objective
Understand when 2750 is appropriate, especially in shared administration contexts, and avoid misuse in WordPress deployments.
Concept Breakdown
Octal structure
| Digit | Meaning |
|---|---|
| 2 | SGID |
| 7 | Owner rwx |
| 5 | Group r-x |
| 0 | Others --- |
Behavior
| Target | Result |
|---|---|
| File exec | Runs with file’s group |
| Directory | New files inherit directory group |
| Others | No access |
Syntax Formula
Apply SGID + 750
chmod 2750 <file|dir>
Remove SGID
chmod g-s <file|dir>
Verify
ls -l <file|dir>
Permission Indicator
-rwxr-s---
or for directory:
drwxr-s---
**s appears in the group execute position.
Practical Example & Output
Create controlled shared directory
groupadd wpops
mkdir /srv/wpops
chgrp wpops /srv/wpops
chmod 2770 /srv/wpops # Note: 2770 common variant for write sharing
For strict 2750:
chmod 2750 /srv/wpops
ls -ld /srv/wpops
Expected:
drwxr-s--- ... /srv/wpops
Only owner + group members can access; group inherits future files.
WordPress-Relevant Usage
| Scenario | Valid | Notes |
|---|---|---|
| Internal ops scripts directory | ✅ Good use case | |
| Shared deployment cache | ✅ If not web-exposed | |
| wp-content/uploads | ❌ Never | |
| wp-content/cache | ❌ Breaks WP + security risk | |
| Public www path | ❌ Bad practice | |
| Shared SFTP area | ⚠️ Only if tightly controlled |
WP Server Scenarios
| Use Case | Recommendation |
|---|---|
Ops automation folder under /srv | ✅ Valid |
| Git deploy staging workspace | ✅ Valid |
| WP content tree | ❌ Not allowed |
| Multi-user edit under public root | ❌ Replace with per-user + ACL |
Security Considerations
Benefits
| Benefit | Reason |
|---|---|
| Group inheritance | Clean team collaboration |
| Others blocked | Restricts world access |
| Group execute | Shared scripts possible |
Risks
| Risk | Cause |
|---|---|
| Privilege creep | Too many group members |
| Web dir SGID | Exploit path |
| User confusion | Wrong group ownership |
Audit
find / -perm -2000 2>/dev/null
Fix
chmod g-s <path>
Best Practices
| Practice | Reason |
|---|---|
| Use only for internal admin group dirs | Controlled privilege sharing |
| Never in web root | Avoid WP attack chains |
| Prefer Git & sudo workflows | Modern infra approach |
| Add ACL for specific users | Avoid over-granting group |
Example:
setfacl -m u:developer:rwx /srv/wpops
WordPress Audit
Scan WP tree:
find /home -perm -2000
If 2750 present under public_html:
chmod g-s <path>
chmod 750 <path>
Then restore typical WP perms:
- Directories:
755or750 - Files:
644or640
Go-Live Checklist
| Requirement | ✅ |
|---|---|
| SGID only on internal dirs | ✅ |
| No SGID inside WP tree | ✅ |
| Group membership audited | ✅ |
| ACL rules applied | ✅ |
| Weekly SGID audit task | ✅ |
Troubleshooting Matrix
| Symptom | Cause | Fix |
|---|---|---|
| Group can't write | 2750 gives r-x only | Use 2770 instead |
| WP file access denied | SGID misused in WP path | Reset perms |
| Leaked file access | Wrong group | Fix group & ACL |
Quick Lab
Create secure devops collaboration dir:
groupadd wpdev
mkdir /srv/wpdev
chgrp wpdev /srv/wpdev
chmod 2750 /srv/wpdev
Test group inheritance:
touch /srv/wpdev/test.txt
ls -l /srv/wpdev/test.txt
Group of file should be wpdev.
Cheat Sheet
| Command | Meaning |
|---|---|
| chmod 2750 | SGID + 750 |
| chmod g-s | Remove SGID |
| find / -perm -2000 | Scan SGID |
| ls -l | Spot s in group exec |
Mini-Quiz
| Question | Answer |
|---|---|
| What does 2 in 2750 mean? | SGID |
| Group permission? | r-x |
| Safe in wp-content? | No |
| Indicator in ls? | s in group exec |
Reply **"Continue 1750" to proceed.