Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Paul Fryer
Paul Fryer Author
User level: Level 2
176 points

What are 'Wheel' and Everyone' accounts?

Following an upgrade to leopard from panther, I used the "Reset Password" item on the "Utilities" menu of the Leopard install disk to reset all my ACLs to their default values. I did this to (successfully) resolve an issue with not being able to trash anything without using a password.

I now have two pseudo-accounts (meaning that they don't appear in the Accounts control panel) in the Info pane Sharing and Permissions section for my Home folder and sub-folders. These are "Wheel" and "Everyone". What are these? All I want is Read/Write access for myself and Read Only permission for my network connected laptop (for which I have created a Sharing account). Nobody else should be on my computer, but if they are I don't want them to have any access at all.

Can I remove these two entities from the Sharing & Permissions, or should I just set them to No Access? What are the implications of these two alternatives?

Thanks.

iMac G5 (1st gen), Mac OS X (10.5.2), Bluetooth mouse/KB. Airport card. VirtualPC.

Posted on Apr 14, 2008 5:31 PM

Reply
Question marked as Best reply
User profile for user: Niel
Niel
User level: Level 10
726,401 points

Posted on Apr 14, 2008 5:37 PM

Wheel is a system-level group; it can be safely removed from the access list for any item you've created. Everyone refers to all accounts on the system which aren't in any other entry of the list.

(31545)
View in context
15 replies
User profile for user: V.K.
V.K.
User level: Level 9
56,174 points

Apr 14, 2008 5:43 PM in response to Paul Fryer

everyone means just that - every possible user on your computer. Your home folder itself should have read permissions for everyone. That's normal so that other users can get into your public and sites folders which are accessible to everyone by default. However, your other folders in your home directory like your Documents or Desktop folders (or anything else you create yourself) should have no access for anybody but you.

wheel is a special administrative group which normally contains only the "root" user. the fact that using the ACL reset button changed group ownership on your homefolder to wheel is a bug.

To change them to what they ought to be run the following command in terminal

*sudo chown -R `id -un`:`id -gn` ~*

just copy and paste the above. you'll have to enter you admin password which you won't see. that's normal.
Reply
User profile for user: Paul Fryer
Paul Fryer Author
User level: Level 2
176 points

Apr 14, 2008 6:27 PM in response to V.K.

Thanks for the replies.

Not used Terminal very much, and not sure what that command will do, but I tried it anyway - didn't notice any change. Wheel and everyone are still there with the permissions I set (wheel - read only, everyone - no access) on the home & enclosed folders.

Could I just do what Niel hinted - remove 'wheel' as a user from the home folder and enclosed folders; then what you suggested and set 'everyone' to No Access for all of my home folder but Public and Sites (leave them at Read Only) - just by using the Info windows?
Reply
User profile for user: V.K.
V.K.
User level: Level 9
56,174 points

Apr 14, 2008 6:38 PM in response to Paul Fryer

don't ever use the "apply to enclosed" items button to change permissions on any of the system created folders including your home folder, your Desktop folder etc. That's what probably got your in trouble in the first place. Those folders have some invisible ACLs and you don't want to propagate them to enclosed folders.

It's strange that the command had no effect. It should have. let's check what your group id is. It could have been reset to 0 by the ACL reset process. That would make your default group wheel.

Run the following in terminal and post the result. It will list your current primary group.

*id -gn*

Message was edited by: V.K.

BTW, there is no harm in having wheel have access to your home folder. as I said, only root is the member and it has full access to everything anyway. However, your permissions ought to be set correctly anyway.
Reply
User profile for user: Paul Fryer
Paul Fryer Author
User level: Level 2
176 points

Apr 14, 2008 7:02 PM in response to Niel

Ok, 'wheel' disappeared without any problem on home & enclosed (took a long time to propagate throughout the folder hierarchy). It looks like I can never put it back (but why would I want to?), since it isn't in the list of possible users - there is something called Administrators instead, which I will ignore for now.

For 'everyone', I plan to change the Public folder to Read Only, and the Drop Box inside it to Write Only. Also the Sites folder & enclosed folders to Read Only. All other folders in the home folder will remain at No Access. Does this make the most sense?

Thanks.
Reply
User profile for user: Paul Fryer
Paul Fryer Author
User level: Level 2
176 points

Apr 14, 2008 7:21 PM in response to V.K.

Running the command just gave me the name of my home folder.

Interesting observation on not using the 'apply to enclosed items' button to the home folder. As you see from the conversation, I have used it, and have just done so again. It was also an essential step in resolving the earlier issue of not being able to delete anything without giving the admin password: after resetting all ACLs to the default using the Leopard install DVD, I had to apply the Home folder permissions to all enclosed folders before the problem would go away.

Anyway, I will be careful about that from now on.
Reply
User profile for user: V.K.
V.K.
User level: Level 9
56,174 points

Apr 14, 2008 7:26 PM in response to Paul Fryer

if you just done it again, you need to reset the ACLs again.
the home folder has a 'deny delete" ACL and you just propagated it to everything inside. Now to delete anything you'll need to enter your admin password.
as i said, don't use 'apply to enclosed items" on system created folders.

if the command just gave your username back, it means that you upgraded to leopard from Tiger and inherited Tiger group structure. leopard uses a different one but you probably shouldn't mess with it now.
Reply
User profile for user: Paul Fryer
Paul Fryer Author
User level: Level 2
176 points

Apr 14, 2008 7:56 PM in response to V.K.

Yes, I did upgrade (from Panther - I skipped Tiger). I am happy not to mess with it further, since that's what the upgrade process provided, and things seem to be working.

You are probably right in that propagating "everyone deny delete" from the Home Folder to all the enclosed folders started the trouble, because I did have that ACL on every folder after I had propagated. After doing the reset and propagating again (a few days ago), there is no sign of "everyone deny delete" when I use the "ls -le" command, and right now I am having no trouble with deleting files or folders.

There is no sign of any "deny delete" ACL on the home folder itself. Is that likely to cause a problem (and what), and if so how can it be fixed?
Reply
User profile for user: V.K.
V.K.
User level: Level 9
56,174 points

Apr 14, 2008 8:09 PM in response to Paul Fryer

interesting. I wonder how you managed to loose those "deny delete" ACLs on your home folder.

As to whether or not it will cause problems... Those ACls weren't there prior to leopard and were put in to make sure users didn't delete their vital folders by accident. However, this was done rather badly because this particular ACE is invisible from Finder and people clicking the "apply to enclosed items" button unwittingly propagate it with unpleasant results.

It's up to you if you want those ACLs or not. The system will function perfectly well without them but there will remain a chance that you can accidentally delete your desktop or documents folder for example.

To restore the ACLs follow these instructions:

run the following commands (they are in bold) in terminal to set things right.

*chmod -R -N ~*

this removes all ACLs from files in your home directory.

The following two commands put the necessary ACLs back where they belong.

*chmod +a "everyone deny delete" ~/ ~/Desktop ~/Documents ~/Downloads ~/Library ~/Movies ~/Music ~/Pictures ~/Public ~/Sites*


*chmod +a "`id -un` allow list,add file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr, writeextattr,readsecurity,writesecurity,chown,file_inherit,directoryinherit" ~/Public/Drop\ Box*
Reply
User profile for user: Paul Fryer
Paul Fryer Author
User level: Level 2
176 points

Apr 14, 2008 8:54 PM in response to V.K.

Thanks. I took the suggestions, and now things seem OK on this computer.

But now I have no access to any of the folders in my Home folder from the Sharing account on my laptop - they all got deleted by the chmod -R -N ~ command. What's the safest and easiest way to restore this access to all user folders in my home folder and their contents? I think that doing this the wrong way was the initial cause of all my problems, so I don't want to repeat the mistake.

Could I go to the Info window for each such folder, add the laptop account, set Read Only, and then Apply to Enclosed items? That should be safe enough, since I won't be doing it to any system folder.

BTW, I am finding this dialog very helpful in improving my understanding of this topic, although I expect that I am just scratching the surface. So I appreciate your patience and help.
Reply
User profile for user: V.K.
V.K.
User level: Level 9
56,174 points

Apr 14, 2008 9:13 PM in response to Paul Fryer

I think the easiest way to add a folder to sharing is by going to its "get info panel" and checking the box "Shared folder".

It's ok to use "apply to enclosed items' on any folders you made yourself. Just don't use it on system created ones. they sometimes have those hidden ACLs, sticky bits and flags. You usually don't want to propagate those.
Reply

What are 'Wheel' and Everyone' accounts?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up