Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: pianoman1976
pianoman1976 Author
User level: Level 1
104 points

Wheel Group

I have noticed a trend that when on very seldom occasion some strangeness is going on with my system - the wheel group keeps popping up. This group seems to have unrestricted access - therefore I associate it as being a threat. I'm wondering what the normal ops standard is with this group. Is it normal to see this group throughout my system?

Is it normal that all downloaded files have wheel group permissions set?

"One cannot log into a machine remotely via telnet as root (unless root has no password), and therefore users who wish to obtain root access remotely must first log in as a normal user and then use su to gain root access. By restricting wheel access you can therefore reduce the probability that a compromised account will result in an intruder obtaining privileged access via the network."

How do I restrict wheel access?

Message was edited by: pianoman1976

iMac 2.4 GHz Intel Core 2 Duo, 4 GB SDRAM, Mac OS X (10.5.6)

Posted on Jan 3, 2009 11:42 AM

Reply
39 replies
User profile for user: pianoman1976
pianoman1976 Author
User level: Level 1
104 points

Jan 9, 2009 3:57 PM in response to KJK555

Yes, there are ACL's that Disk Utility cannot fix:

2009-01-09 15:44:17 -0800: Repairing permissions for “Macintizzle HD ”
2009-01-09 15:44:17 -0800: Reading permissions database.
2009-01-09 15:44:17 -0800: Reading the permissions database can take several minutes.

2009-01-09 15:45:19 -0800: Warning: SUID file "System/Library/Filesystems/AppleShare/afpLoad" has been modified and will not be repaired.
2009-01-09 15:45:20 -0800: ACL found but not expected on "private/var/root/Library/Preferences".
2009-01-09 15:45:20 -0800: ACL found but not expected on "private/var/root/Library".
2009-01-09 15:45:20 -0800: ACL found but not expected on "private/etc/mach init_per_loginsession.d".
2009-01-09 15:45:20 -0800: ACL found but not expected on "private/etc/mach init_peruser.d".
2009-01-09 15:45:21 -0800: Warning: SUID file "usr/bin/setregion" has been modified and will not be repaired.
2009-01-09 15:45:23 -0800: ACL found but not expected on "private/etc/cups/interfaces".
2009-01-09 15:45:23 -0800: ACL found but not expected on "private/etc/cups/ppd".
2009-01-09 15:45:23 -0800: ACL found but not expected on "private/etc/pam.d".
2009-01-09 15:45:23 -0800: ACL found but not expected on "private/etc/racoon/remote".
2009-01-09 15:45:24 -0800: ACL found but not expected on "private/etc/racoon".
2009-01-09 15:45:24 -0800: ACL found but not expected on "private/etc/mach_init.d".
2009-01-09 15:45:24 -0800: ACL found but not expected on "private/etc/periodic/daily".
2009-01-09 15:45:24 -0800: ACL found but not expected on "private/etc/periodic/monthly".
2009-01-09 15:45:24 -0800: ACL found but not expected on "private/etc/periodic/weekly".
2009-01-09 15:45:24 -0800: ACL found but not expected on "private/etc/periodic".
2009-01-09 15:45:24 -0800: ACL found but not expected on "private/etc/openldap/schema".
2009-01-09 15:45:24 -0800: ACL found but not expected on "private/etc/openldap".
2009-01-09 15:45:24 -0800: ACL found but not expected on "private/etc/podcastproducer".
2009-01-09 15:45:24 -0800: ACL found but not expected on "private/etc/manpaths.d".
2009-01-09 15:45:24 -0800: ACL found but not expected on "private/etc/paths.d".
2009-01-09 15:45:24 -0800: ACL found but not expected on "private/etc/xgrid/agent".
2009-01-09 15:45:24 -0800: ACL found but not expected on "private/etc/xgrid/controller".
2009-01-09 15:45:24 -0800: ACL found but not expected on "private/etc/xgrid".
2009-01-09 15:45:24 -0800: ACL found but not expected on "private/etc/apache2/extra".
2009-01-09 15:45:24 -0800: ACL found but not expected on "private/etc/apache2/other".
2009-01-09 15:45:24 -0800: ACL found but not expected on "private/etc/apache2/users".
2009-01-09 15:45:24 -0800: ACL found but not expected on "private/etc/defaults".
2009-01-09 15:45:25 -0800: ACL found but not expected on "private/etc/snmp".
2009-01-09 15:45:25 -0800: ACL found but not expected on "private/etc/ppp".
2009-01-09 15:45:29 -0800: Warning: SUID file "System/Library/PrivateFrameworks/Install.framework/Versions/A/Resources/runner " has been modified and will not be repaired.
2009-01-09 15:45:29 -0800: Warning: SUID file "System/Library/Printers/IOMs/LPRIOM.plugin/Contents/MacOS/LPRIOMHelper" has been modified and will not be repaired.
2009-01-09 15:45:29 -0800: ACL found but not expected on "private/etc/cups".
2009-01-09 15:45:30 -0800: ACL found but not expected on "System/Library/PreferencePanes/Bluetooth.prefPane/Contents/MacOS".
2009-01-09 15:45:30 -0800: ACL found but not expected on "System/Library/PreferencePanes/Bluetooth.prefPane/Contents/Resources/English.l proj/BluetoothPref.nib".
2009-01-09 15:45:30 -0800: ACL found but not expected on "System/Library/PreferencePanes/Bluetooth.prefPane/Contents/Resources/English.l proj".
2009-01-09 15:45:30 -0800: ACL found but not expected on "System/Library/PreferencePanes/Bluetooth.prefPane/Contents/Resources".
2009-01-09 15:45:30 -0800: ACL found but not expected on "System/Library/PreferencePanes/Bluetooth.prefPane/Contents".
2009-01-09 15:45:30 -0800: ACL found but not expected on "System/Library/PreferencePanes/Bluetooth.prefPane".
2009-01-09 15:45:30 -0800: ACL found but not expected on "private/etc/apache2".
2009-01-09 15:45:30 -0800: ACL found but not expected on "private/etc/apache2/original/extra".
2009-01-09 15:45:30 -0800: ACL found but not expected on "private/etc/apache2/original".
2009-01-09 15:45:30 -0800: ACL found but not expected on "private/etc/postfix".
2009-01-09 15:45:33 -0800: ACL found but not expected on "System/Library/PreferencePanes/Bluetooth.prefPane/Contents/Resources/da.lproj/ BluetoothPref.nib".
2009-01-09 15:45:33 -0800: ACL found but not expected on "System/Library/PreferencePanes/Bluetooth.prefPane/Contents/Resources/da.lproj" .
2009-01-09 15:45:33 -0800: ACL found but not expected on "System/Library/PreferencePanes/Bluetooth.prefPane/Contents/Resources/Dutch.lpr oj/BluetoothPref.nib".
2009-01-09 15:45:33 -0800: ACL found but not expected on "System/Library/PreferencePanes/Bluetooth.prefPane/Contents/Resources/Dutch.lpr oj".
2009-01-09 15:45:33 -0800: ACL found but not expected on "System/Library/PreferencePanes/Bluetooth.prefPane/Contents/Resources/fi.lproj/ BluetoothPref.nib".
2009-01-09 15:45:33 -0800: ACL found but not expected on "System/Library/PreferencePanes/Bluetooth.prefPane/Contents/Resources/fi.lproj" .
2009-01-09 15:45:33 -0800: ACL found but not expected on "System/Library/PreferencePanes/Bluetooth.prefPane/Contents/Resources/French.lp roj/BluetoothPref.nib".
2009-01-09 15:45:33 -0800: ACL found but not expected on "System/Library/PreferencePanes/Bluetooth.prefPane/Contents/Resources/French.lp roj".
2009-01-09 15:45:33 -0800: ACL found but not expected on "System/Library/PreferencePanes/Bluetooth.prefPane/Contents/Resources/German.lp roj/BluetoothPref.nib".
2009-01-09 15:45:34 -0800: ACL found but not expected on "System/Library/PreferencePanes/Bluetooth.prefPane/Contents/Resources/German.lp roj".
2009-01-09 15:45:34 -0800: ACL found but not expected on "System/Library/PreferencePanes/Bluetooth.prefPane/Contents/Resources/Italian.l proj/BluetoothPref.nib".
2009-01-09 15:45:34 -0800: ACL found but not expected on "System/Library/PreferencePanes/Bluetooth.prefPane/Contents/Resources/Italian.l proj".
2009-01-09 15:45:34 -0800: ACL found but not expected on "System/Library/PreferencePanes/Bluetooth.prefPane/Contents/Resources/Japanese. lproj/BluetoothPref.nib".
2009-01-09 15:45:34 -0800: ACL found but not expected on "System/Library/PreferencePanes/Bluetooth.prefPane/Contents/Resources/Japanese. lproj".
2009-01-09 15:45:34 -0800: ACL found but not expected on "System/Library/PreferencePanes/Bluetooth.prefPane/Contents/Resources/ko.lproj/ BluetoothPref.nib".
2009-01-09 15:45:34 -0800: ACL found but not expected on "System/Library/PreferencePanes/Bluetooth.prefPane/Contents/Resources/ko.lproj" .
2009-01-09 15:45:34 -0800: ACL found but not expected on "System/Library/PreferencePanes/Bluetooth.prefPane/Contents/Resources/no.lproj/ BluetoothPref.nib".
2009-01-09 15:45:34 -0800: ACL found but not expected on "System/Library/PreferencePanes/Bluetooth.prefPane/Contents/Resources/no.lproj" .
2009-01-09 15:45:34 -0800: ACL found but not expected on "System/Library/PreferencePanes/Bluetooth.prefPane/Contents/Resources/pl.lproj/ BluetoothPref.nib".
2009-01-09 15:45:34 -0800: ACL found but not expected on "System/Library/PreferencePanes/Bluetooth.prefPane/Contents/Resources/pl.lproj" .
2009-01-09 15:45:34 -0800: ACL found but not expected on "System/Library/PreferencePanes/Bluetooth.prefPane/Contents/Resources/ru.lproj/ BluetoothPref.nib".
2009-01-09 15:45:34 -0800: ACL found but not expected on "System/Library/PreferencePanes/Bluetooth.prefPane/Contents/Resources/ru.lproj" .
2009-01-09 15:45:34 -0800: ACL found but not expected on "System/Library/PreferencePanes/Bluetooth.prefPane/Contents/Resources/Spanish.l proj/BluetoothPref.nib".
2009-01-09 15:45:34 -0800: ACL found but not expected on "System/Library/PreferencePanes/Bluetooth.prefPane/Contents/Resources/Spanish.l proj".
2009-01-09 15:45:34 -0800: ACL found but not expected on "System/Library/PreferencePanes/Bluetooth.prefPane/Contents/Resources/sv.lproj/ BluetoothPref.nib".
2009-01-09 15:45:34 -0800: ACL found but not expected on "System/Library/PreferencePanes/Bluetooth.prefPane/Contents/Resources/sv.lproj" .
2009-01-09 15:45:34 -0800: ACL found but not expected on "System/Library/PreferencePanes/Bluetooth.prefPane/Contents/Resources/zh_CN.lpr oj/BluetoothPref.nib".
2009-01-09 15:45:34 -0800: ACL found but not expected on "System/Library/PreferencePanes/Bluetooth.prefPane/Contents/Resources/zh_CN.lpr oj".
2009-01-09 15:45:34 -0800: ACL found but not expected on "System/Library/PreferencePanes/Bluetooth.prefPane/Contents/Resources/zh_TW.lpr oj/BluetoothPref.nib".
2009-01-09 15:45:34 -0800: ACL found but not expected on "System/Library/PreferencePanes/Bluetooth.prefPane/Contents/Resources/zh_TW.lpr oj".
2009-01-09 15:45:35 -0800:
2009-01-09 15:45:35 -0800: Permissions repair complete
Reply
User profile for user: pianoman1976
pianoman1976 Author
User level: Level 1
104 points

Jan 9, 2009 4:31 PM in response to baltwo

I missed that last sentence. Thank you for pointed this out to me.




From http://rixstep.com/1/20080620,00.shtml regarding the SUID article:


"ARDAgent is SUID root enabled and for 10.5 Leopard runs root commands like sudo - except sudo is clever and requires authentication and Apple's ARDAgent for Leopard doesn't give a ****.

'Someone needs to wake the **** up over there at Cupertino', writes Collins in the understatement of the century. But it's deeper than that: for the issue apparently has been known for almost a year - when Leopard was first introduced. But Apple - grab your flight bag - don't think it's a serious issue."
Reply
User profile for user: baltwo
baltwo
User level: Level 9
62,362 points

Jan 9, 2009 4:41 PM in response to pianoman1976

Understood, but sometimes Cupertino does know where to put its attention, but not always. Whether or not this is a huge security hole, I don't profess to know. If you agree with the author, file a bug report with Apple via its Bug Reporter system. To do this, join the Apple Developer Connection (ADC)—it's free and available for all Mac users and gets you a look at some development software. Since you already have an Apple username/ID, use that. Once a member, go to Apple BugReporter and file your bug report/enhancement request. You'll get a response and a follow-up number; thus, starting a dialog with engineering.
Reply
User profile for user: KJK555
KJK555
User level: Level 4
2,900 points

Jan 9, 2009 5:48 PM in response to pianoman1976

Yes, looks like ACL problems.

First of all, there should be no ACLs on your /private directory structure. You most likely are plagued
by what I call "runaway ACLs". Despite what Apple's article recommends, I have seen Leo "choke to
death" on ACL's more than once.

Leopard only uses one brand of ACL: "everyone deny delete". It is placed on select system folders
and user folders and is never placed on files. When the runaway ACL problem occurs, you will find
ACL's of all different varieties and flavors on both folders and files and will be found in directories
where ACL's never normally reside.

Second, Disk Utility won't find or even look for ACL's in your Users home directories, Why? Because
your user files have no entry in the receipt database. Only files and folders listed in the receipt
database are checked for correct permissions and ACL's.

http://support.apple.com/kb/TS1334
http://support.apple.com/kb/HT2963?viewlocale=en_US

I suggest following the instructions in the above support articles to repair your user directories
and then doing an archive and install to repair the OS.

Kj
Reply
User profile for user: pianoman1976
pianoman1976 Author
User level: Level 1
104 points

Jan 9, 2009 9:43 PM in response to KJK555

Thank you for taking the time to help. I did what you reccommended. After an archive reinstall, I'm not having any ACL issues any longer. 😉

My home folder shows Wheel with read only permissions just as before though.

My install log is here: http://www.mediafire.com/?zw4kbniyzdk

I choose the option to preserve the home user, so all my files are at home where they should be. I'm curious to know if it's safe to delete the "Previous Systems" folder as there doesn't seem to be anything in there I need?

Also, I'm back to 10.5. Should I not upgrade to 10.5.6 as it seemed to be after the upgrade that my problems occurred? Maybe it was just coincidence. Although I surely don't like the SUID issues related to the 10.5.6 upgrade. I know we're suppose to ignore them, yet it doesn't seem right.
Reply
User profile for user: KJK555
KJK555
User level: Level 4
2,900 points

Jan 10, 2009 11:01 AM in response to pianoman1976

Here is a program you will find handy for setting permissions:
http://www.gideonsoftworks.com/filexaminer.html

Here is a GUI progam for setting ACL's:
http://www.mikey-san.net/sandbox/

You may update if you like. You may or may not get SUID errors after the update. Most of the
time you can apply the update again, if neccessary, to get rid of the SUID errors or other problems.

Here is the terminal command to help you determine what permissions and ACL's are placed
on files and/or folders;

ls -ael /path/to/file orfolder
The easiest way is to type "ls -ael" add a space, then find the file or folder in finder, drag and
drop the file/folder onto the terminal window. The path will automatically be filled in.

Here is some recommended references on ACL's and permissions:
http://www.afp548.com/filemgmt/index.php?id=40
http://manuals.info.apple.com/enUS/File_Services_Adminv10.5.pdf
http://support.novell.com/techcenter/articles/anp20010601.html
http://manuals.info.apple.com/enUS/Command_Line_Adminv10.5.pdf

Kj
Reply

Wheel Group

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up