2755
SGID + 755
2755 combines **SGID (2) with standard 755 permissions:
- Owner:
rwx - Group:
r-x - Others:
r-x - Group execute runs with file's group
- New files inside SGID directories inherit the group
This is for controlled multi-user collaboration under a shared group rarely needed for WordPress hosting unless you have a dev/sysadmin shared environment.
Objective
Understand SGID + 755, when to apply it, and when to avoid it in WP environments.
Concept Breakdown
Octal structure
| Digit | Meaning |
|---|---|
| 2 | SGID enabled |
| 7 | Owner rwx |
| 5 | Group r-x |
| 5 | Others r-x |
Actions
| Context | Behavior |
|---|---|
| File | Executes with file’s group |
| Directory | New files inherit group of directory |
Syntax Formula
Apply SGID + 755
chmod 2755 <file/dir>
Remove SGID
chmod g-s <file/dir>
Verify
ls -l <file/dir>
Permission Indicator
Expected ls output:
-rwxr-sr-x
or (for dir)
drwxr-sr-x
Key marker: **s in group execute bit.
Practical Example & Output
Shared directory for dev/sysadmin team
groupadd webteam
mkdir /srv/webcollab
chgrp webteam /srv/webcollab
chmod 2775 /srv/webcollab
ls -ld /srv/webcollab
Expected:
drwxrwsr-x ... /srv/webcollab
File with SGID + 755
chmod 2755 /usr/local/bin/dev-tool
ls -l /usr/local/bin/dev-tool
Expected:
-rwxr-sr-x ... dev-tool
WordPress-Relevant Usage
| Scenario | Valid | Notes |
|---|---|---|
| Shared CLI deployment directory | ✅ If internal admin only | |
| Shared log/analyze dir for devops group | ✅ Safe if isolated | |
| wp-content/uploads | ❌ Never | |
| wp-content/cache | ❌ Never | |
| Plugin/theme folders | ❌ Risky & unnecessary | |
| User home under /home/siteuser | ❌ Use chown + ACL instead |
Common WP Server Scenarios
| Case | Recommendation |
|---|---|---|
Team automation scripts | Prefer sudo + ACLs |
Git deployment pipeline | Better w/ correct git user |
Shared staging env folder | Allowed with strict group |
Public writable dirs | Never SGID |
Security Considerations
Risks
| Threat | Description |
|---|---|
| Privilege group escalation | Any user inherits group |
| Misapplied to WP tree | Attack path for write/delete |
| Confusion with SUID | Both escalate but in diff ways |
Audit
find / -perm -2000 2>/dev/null
Removal
chmod g-s <path>
Best Practices
| Practice | Reason |
|---|---|
| Use SGID for internal shared dirs only | Controlled access |
Avoid in /var/www & WP dirs | Attack surface |
| Prefer group ACLs | More granular |
| Use sudoers for privilege elevation | Logged & safe |
Example ACL:
setfacl -m g:webteam:rwx /srv/webcollab
WordPress Audit
Check WP data path:
find /home -perm -2000
Expect zero SGID entries in:
wp-content/uploadswp-content/cache- Themes/plugins
If found:
chmod g-s <path>
Go-Live Checklist
| Checklist | ✅ |
|---|---|
| SGID only in controlled shared dirs | ✅ |
| No SGID in WP paths | ✅ |
| Proper group ownership set | ✅ |
| ACL/sudo rules configured | ✅ |
| Audit cron scheduled | ✅ |
Troubleshooting Matrix
| Issue | Cause | Fix |
|---|---|---|
| Files inherit wrong group | SGID misused | chmod g-s |
| Shared scripts escalate wrong group | Bad group ownership | chown root:webteam file |
| Unexpected WP privilege | SGID on WP dirs | Remove & reset perms |
Quick Lab
Create SGID share for WordPress dev team:
groupadd wpdev
mkdir /srv/wpdev
chgrp wpdev /srv/wpdev
chmod 2775 /srv/wpdev
touch /srv/wpdev/test
ls -l /srv/wpdev/test
Expected new file group wpdev
Cheat Sheet
| Command | Description |
|---|---|
| chmod 2755 | SGID + 755 |
| chmod g-s | Remove SGID |
| find / -perm -2000 | Scan SGID |
| ls -l | Check s in group bit |
Mini Quiz
| Question | Answer |
|---|---|
| What does 2 in 2755 do? | Enables SGID |
| Where safe? | Internal shared dirs |
| Safe for wp-content? | No |
| Indicator in ls? | s on group exec |
Reply **"Continue 1755" to go next.