4000
SUID (Set User ID)
SUID grants a file the ability to execute with file owner's privileges, not the user running it. In WordPress VPS context, it is **rarely required and usually a **security risk if misused.
Objective
Understand SUID (4000), how it works, when to use/avoid it, and security considerations for WordPress VPS.
Core Concept
- Regular permission code: **rwx defines what a user can do.
- **SUID adds execution privilege escalation to the owner level during runtime.
Meaning of 4 in first digit:
| Digit | Meaning |
|---|---|
| 4 | Enable SUID bit |
Pattern
4xyz
Where xyz = standard file permission digits.
Example:
4755
= SUID + 755
Syntax Formula
Set SUID
chmod 4xxx filename
Remove SUID
chmod u-s filename
Check SUID files
find / -perm -4000 2>/dev/null
Indicator in File Listing
Command
ls -l file
Output Pattern
-rwsr-xr-x
Key indicator: **s replacing **x in owner field.
Real Examples with Output
Example 1: Apply SUID
chmod 4755 /usr/local/bin/custom-script
ls -l /usr/local/bin/custom-script
Expected Output
-rwsr-xr-x 1 root root ... custom-script
Example 2: Check common SUID binaries
ls -l /usr/bin/passwd
Expected Output
-rwsr-xr-x 1 root root ... passwd
Use Case Patterns
| Use Case | Valid? | Notes |
|---|---|---|
| Privilege escalation for trusted binaries | ✅ | passwd, sudo, ping etc. |
| WordPress/PHP scripts | ❌ | Security risk |
| WP plugin files | ❌ | Never |
| User-uploaded files | ❌ | Critical risk |
| Maintenance scripts (rare, controlled) | ✅ | Only internal admin scripts |
WordPress VPS Scenarios
| Scenario | Recommendation |
|---|---|
| Custom backup script needs root files access | Avoid — use sudoers instead |
| WP site management scripts | Never use SUID |
| Server admin automation | Use root cron / sudo, not SUID |
| Temporary escalate permission for service script | Do only with audit & policy |
Security Considerations
Risks
| Threat | Description |
|---|---|
| Privilege Escalation | Untrusted script becomes root |
| Backdoors | Malware sets SUID on shells |
| Privilege abuse | User can modify and escalate |
Detection & Response
Check risky SUID executables
find / -perm -4000 2>/dev/null
Remove SUID
chmod u-s file
Monitor for new SUID files
(best practice: cron with diff+alert)
Best Practices
- Do **not use SUID for web-facing scripts
- Restrict SUID to known system binaries
- Audit SUID weekly on production server
- Prefer **sudo rules instead:
- safer
- controlled
- logs access
Example sudoers rule:
visudo
Add:
wpadmin ALL=(root) NOPASSWD: /usr/local/bin/wp-maintenance.sh
WordPress-Focused Quick Audit
Scan WP home directory for SUID (should be zero)
find /home -perm -4000
Correct if found
chmod u-s /path/file
Go-Live Checklist
| Item | Status |
|---|---|
| Verify no SUID on wp-content | ✅ |
| Verify only system binaries use SUID | ✅ |
| Sudoers rules audited | ✅ |
| Root scripts owned by root | ✅ |
| Cron task monitors SUID changes | ✅ |
Troubleshooting Matrix
| Issue | Cause | Fix |
|---|---|---|
| Unexpected root access | SUID applied wrongly | chmod u-s file |
| "Permission denied" after removal | Script relied on SUID | Use sudoer policy |
| Malware alert on SUID binary | Backdoor attempt | Remove + scan system |
Quick Lab
Exercise
- Create dummy script
echo '#!/bin/bash
id' > test.sh
chmod +x test.sh
- Run normally
./test.sh
Expected:
uid=1001(...)
- Enable SUID
chmod 4755 test.sh
./test.sh
Expected:
uid=0(root)
- Remove SUID
chmod u-s test.sh
Cheat Sheet
| Command | Purpose |
|---|---|
| chmod 4xxx file | Apply SUID |
| chmod u-s file | Remove SUID |
| find / -perm -4000 | Scan SUID files |
| ls -l file | Verify s bit |
Mini-Quiz
| Question | Answer |
|---|---|
What does 4 mean in 4755? | SUID enabled |
| Where does SUID apply? File or directory? | File |
| Safe for WordPress PHP files? | No |
| Indicator in ls output? | s in owner execute flag |