4750
SUID + 750
4750 combines:
- **SUID (
4) execute as file owner - Owner:
rwx - Group:
r-x - Others:
--
Result:
Only owner and group can run/read, but execution **runs with the owner's privileges (typically root).
Others have no access.
This is a **privileged script mode for internal users only, extremely rare and dangerous in a WordPress stack unless tightly controlled.
Objective
Understand when 4750 is used and how to avoid misuse in a WordPress VPS.
Concept Breakdown
Octal structure
| Digit | Meaning |
|---|---|
| 4 | SUID |
| 7 | Owner rwx |
| 5 | Group r-x |
| 0 | Others --- |
Behavior
| Case | Outcome |
|---|---|
| Owner runs normally | Full access |
| Group runs as owner | Elevated |
| Others forbidden | No access |
Syntax Formula
Apply 4750
chmod 4750 <file>
Remove SUID
chmod u-s <file>
Verify
ls -l <file>
Permission Indicator
-rwsr-x---
Note **s in owner exec bit, no rights for others.
Practical Example & Output
Secure SUID internal script demo
echo '#!/bin/bash
id' > /usr/local/bin/privtask.sh
chown root:wpops /usr/local/bin/privtask.sh
chmod 4750 /usr/local/bin/privtask.sh
ls -l /usr/local/bin/privtask.sh
Expected:
-rwsr-x--- root wpops ... privtask.sh
If user in wpops runs:
uid=0(root) ...
Others get:
Permission denied
WordPress-Relevant Usage
| Scenario | Valid | Notes |
|---|---|---|
| Admin-only privileged automation | ✅ Rare expert use | |
| WP CLI, plugin scripts | ❌ Never | |
| Web-accessible files | ❌ Severe exploit vector | |
| SFTP shared paths | ❌ Misuse risk |
**Rule: If you need privilege elevation use sudoers, not SUID.
WP Server Patterns
| Use Case | Recommendation |
|---|---|
| Privileged maintenance tasks | Prefer sudoer entry |
| DB backup automation | Run via root cron or systemd |
| File repair scripts | Avoid SUID, use sudo |
| Shared admin ops script | Valid only if group tracked and controlled |
Security Considerations
Threats
| Risk | Reason |
|---|---|
| Privilege escalation | Group gets owner privileges |
| Abused by malware | Hidden persistent privilege hook |
| Wrong group membership | Unauthorized elevation |
Audit
find / -perm -4000 2>/dev/null
Hardening
chmod u-s <file>
Best Practices
| Practice | Reason |
|---|---|
| Never SUID WP-related scripts | Breaks isolation |
| Use systemd timers/cron instead | Safer |
| Prefer sudo policy & logs | Audit trail |
| Limit group membership strictly | Principle of least privilege |
WordPress Audit
Scan for SUID under /home:
find /home -perm -4000
Found?
chmod u-s <path>
chmod 750 <path>
Go-Live Checklist
| Requirement | ✅ |
|---|---|
| No SUID in WP directories | ✅ |
| Privileged scripts controlled | ✅ |
| Group membership audited | ✅ |
| Sudoers configured | ✅ |
Troubleshooting Matrix
| Symptom | Cause | Fix |
|---|---|---|
| Users gaining root perms | SUID misuse | Remove SUID |
| WP exploit chain found | SUID file abused | Reset perms + AV scan |
| Unexpected script privilege | Wrong group owns file | Correct chgrp |
Quick Lab
Recommended secure alternative to SUID:
visudo
Add:
wpops ALL=(root) NOPASSWD:/usr/local/bin/privtask.sh
Run:
sudo /usr/local/bin/privtask.sh
Cheat Sheet
| Command | Purpose |
|---|---|
| chmod 4750 | SUID + 750 |
| chmod u-s | Remove SUID |
| find / -perm -4000 | Scan SUID |
| ls -l | Check s bit |
Mini-Quiz
| Question | Answer |
|---|---|
| Meaning of 4 in 4750? | SUID |
| Group access? | Read + execute as owner |
| Safe in WP dirs? | No |
| Preferred elevation method? | sudoers |