4755
SUID + 755
4755 combines **SUID (4) with standard 755 permissions:
- Owner: read, write, execute (
rwx) - Group: read, execute (
r-x) - Others: read, execute (
r-x) - **Executes with owners privilege (SUID)
In practice: a file becomes executable by anyone, but **runs as the file owner usually root. Strong capability, high risk if misapplied.
Objective
Understand 4755, see how it behaves, and enforce safe use on a WordPress VPS.
Concept Breakdown
Octal structure
| Digit | Meaning |
|---|---|
| 4 | SUID enabled |
| 7 | Owner rwx |
| 5 | Group r-x |
| 5 | Others r-x |
Behavior
- Any user who runs the file gains the **file owner's execution privileges
- Usually used by root-owned binaries like
passwd
Syntax Formula
Apply 4755
chmod 4755 <file>
Remove SUID (restore normal 755)
chmod u-s <file>
Check
ls -l <file>
Permission Indicator
Expected in ls -l:
-rwsr-xr-x
Key marker: **s in the owner execute position.
Real Working Example & Output
Demo script (proof of behavior)
echo -e '#!/bin/bashnid' > /usr/local/bin/test-suid.sh
chmod 755 /usr/local/bin/test-suid.sh
chown root:root /usr/local/bin/test-suid.sh
./usr/local/bin/test-suid.sh
Expected output before SUID:
uid=1001(...) gid=1001(...)
Now enable 4755:
chmod 4755 /usr/local/bin/test-suid.sh
Run again:
uid=0(root) gid=1001(...)
Result: script runs with root privileges
WordPress-Relevant Usage
| Scenario | Valid? | Notes |
|---|---|---|
System binaries (passwd, sudo) | ✅ OS defaults only | |
| WP CLI scripts | ❌ Never | |
| Backup / deploy scripts | ❌ Use sudoers instead | |
| Theme/plugin files | ❌ Critical risk | |
| User upload paths | ❌ Severe escalation vulnerability |
**WP rule: WordPress files must **never run as root via SUID.
Production Scenarios Guidance
| Case | Best Practice |
|---|---|
| Admin automation | Use sudo policy, not SUID |
| Shared command for dev & ops | Use ACLs |
| Need temporary elevated script | sudoers NOPASSWD |
| Security auditing | Monitor for SUID anomalies |
Security Considerations
Risks
| Threat | Why |
|---|---|
| Privilege escalation | User gets root rights |
| Web exploit chaining | Attacker uses SUID to break out |
| Backdoor persistence | Root shells via SUID script |
Audit
find / -perm -4000 2>/dev/null
Removal
chmod u-s <file>
Best Practices
| Guideline | Reason |
|---|---|
| Never grant 4755 in /home or /var/www | Web risk |
| Keep SUID only for trusted system binaries | Designed securely |
| Prefer sudoers rules | Logged, controlled |
| Run WP CLI as site user | Principle of least privilege |
WordPress Audit Commands
Check only WP directories:
find /home -perm -4000
Found anything? Remove:
chmod u-s <file>
Go-Live Checklist
| Item | ✅ |
|---|---|
| No custom 4755 binaries | ✅ |
| No SUID in wp-content or public web | ✅ |
| Sudoers configured for automation | ✅ |
| Cron monitors SUID changes | ✅ |
Troubleshooting Matrix
| Issue | Cause | Fix |
|---|---|---|
| Script runs as root unexpectedly | SUID applied | chmod u-s file |
| WP files flagged in malware scan | SUID tampering | Remove + rescan system |
| Cannot elevate script | Wrong path or ownership | Use sudo instead |
Quick Lab
Create privileged script safely (sudo instead of SUID):
Edit sudoers:
visudo
Add:
wpadmin ALL=(root) NOPASSWD:/usr/local/bin/wp-maint.sh
Verify:
sudo /usr/local/bin/wp-maint.sh
Cheat Sheet
| Command | Purpose |
|---|---|
| chmod 4755 file | Set SUID + 755 |
| chmod u-s file | Remove SUID |
| find / -perm -4000 | Scan SUID |
| ls -l | Check for s bit |
Mini Quiz
| Question | Answer |
|---|---|
| What does 4 in 4755 do? | Enables SUID |
| What bit appears in ls -l? | s on owner exec |
| Use for WordPress scripts? | No |
| Safer alternative? | sudoers |