diff --git a/script/deploy.sh b/script/deploy.sh
index db93b2f..f52a91e 100755
--- a/script/deploy.sh
+++ b/script/deploy.sh
@@ -48,6 +48,31 @@ ssh_run() {
     fi
 }
 
+# Ensure /tmp on the remote is world-writable + sticky (mode 1777). Some
+# hosts in this fleet have had /tmp reset to root-owned 0755 by an
+# unrelated configuration step, which silently breaks the rsync of the
+# deploy stage dir under our unprivileged user. Check the mode first so a
+# correctly-configured host doesn't incur a needless sudo call.
+ensure_tmp_writable() {
+    local host="$1"
+    if (( dry_run )); then
+        printf '\033[2m[dry-run]\033[0m ssh %s -- stat /tmp; chmod 1777 if needed\n' "$host" >&2
+        return 0
+    fi
+    local mode
+    mode="$(ssh -o BatchMode=yes "$host" 'stat -c %a /tmp')" || {
+        warn "could not stat /tmp on $host"
+        return 1
+    }
+    if [[ "$mode" != "1777" ]]; then
+        warn "/tmp on $host is mode $mode; fixing to 1777"
+        ssh -o BatchMode=yes "$host" 'sudo chmod 1777 /tmp' || {
+            warn "failed to chmod /tmp on $host"
+            return 1
+        }
+    fi
+}
+
 [[ $# -ge 1 ]] || usage
 environment="$1"; shift
 components=()
@@ -192,6 +217,8 @@ deploy_api() {
     # live system dirs.
     local remote_stage="/tmp/moments-deploy.api.${$}.${RANDOM}"
 
+    ensure_tmp_writable "$host" || return 1
+
     rsync \
         --archive \
         --hard-links \
@@ -344,6 +371,8 @@ deploy_worker() {
     # path via the heredoc. Never rsync into /.
     local remote_stage="/tmp/moments-deploy.worker.${$}.${RANDOM}"
 
+    ensure_tmp_writable "$host" || return 1
+
     rsync \
         --archive \
         --hard-links \