Previous 1 2 3 Next 39 Replies Latest reply: Jan 22, 2009 2:56 PM by macwiz1220
pianoman1976 Level 1 (100 points)
I have noticed a trend that when on very seldom occasion some strangeness is going on with my system - the wheel group keeps popping up. This group seems to have unrestricted access - therefore I associate it as being a threat. I'm wondering what the normal ops standard is with this group. Is it normal to see this group throughout my system?

Is it normal that all downloaded files have wheel group permissions set?

"One cannot log into a machine remotely via telnet as root (unless root has no password), and therefore users who wish to obtain root access remotely must first log in as a normal user and then use su to gain root access. By restricting wheel access you can therefore reduce the probability that a compromised account will result in an intruder obtaining privileged access via the network."

How do I restrict wheel access?

Message was edited by: pianoman1976

iMac 2.4 GHz Intel Core 2 Duo, 4 GB SDRAM, Mac OS X (10.5.6)
  • Niel Level 10 (293,865 points)
    Is it normal to see this group throughout my system?


    How do I restrict wheel access?

    Ensure that all administrator accounts on the machine have strong passwords. In most UNIX variants, someone has to be a member of the wheel group to be able to su to root. Mac OS X grants that to all administrator accounts.

  • pianoman1976 Level 1 (100 points)
    Is it normal that all downloaded files have wheel group permissions set?

    There are certain files that I cannot remove the wheel group from. This confuses me as to why I'm locked out from my own system. I don't feel the wheel group needs to be on /.vol. Attempting to change the permissions in gui is useless - nothing will budge. Terminal doesn't work either:

    ryans-imac-2:~ Ryan$ sudo chmod -RN /.vol
    sudo: /private/etc/sudoers is mode 0604, should be 0440
    ryans-imac-2:~ Ryan$ postdrop: warning: unable to look up public/pickup: No such file or directory

    I know I shouldn't be taking full control of certain files like this. I was just curious to see why and how wheel seems to be so persistent on some of these files. I don't see any reason why wheel needs to be here.

    I have a separate system that I keep off the network. On that system I don't have wheel popping up like it does on this system. I assume it's network remote access related.

    Message was edited by: pianoman1976
  • baltwo Level 9 (62,210 points)
    wheel is the normal group for most root-level items. Quit mucking with things and you'll be fine. This is what's on my machines:

    $ ls -Al /
    total 42229
    -rw-r--r-- 1 username staff 21508 Jan 3 11:49 .DS_Store
    drwx------ 3 root admin 102 Mar 3 2008 .Spotlight-V100
    drwxrwxrwt@ 3 username admin 102 Apr 21 2008 .TemporaryItems
    d-wx-wx-wt 2 root admin 68 Dec 19 18:47 .Trashes
    -rw-r--r--@ 1 username admin 204565 Jul 9 10:57 .VolumeIcon.icns
    -rw-r--r-- 1 root admin 0 Apr 20 2008
    drwx------@ 30 username staff 1020 Jan 2 15:59 .fseventsd
    -rw------- 1 root wheel 262144 Apr 20 2008 .hotfiles.btree
    drwxr-xr-x@ 2 root wheel 68 Nov 25 2007 .vol
    drwxrwxr-x@ 101 root admin 3434 Dec 15 11:45 Applications
    -rw-r--r--@ 1 root admin 4608 Sep 12 15:05 Desktop DB
    -rw-r--r--@ 1 root admin 2 Apr 21 2008 Desktop DF
    drwxrwxr-x@ 17 root admin 578 Nov 25 21:03 Developer
    drwxrwxr-t+ 70 root admin 2380 Dec 15 23:20 Library
    drwxr-xr-x@ 2 root wheel 68 Jan 28 2008 Network
    drwxr-xr-x 4 root wheel 136 Dec 15 11:48 System
    drwxr-xr-x 7 root admin 238 Jan 2 14:04 Users
    drwxrwxrwt@ 9 root admin 306 Jan 1 22:19 Volumes
    drwxr-xr-x@ 40 root wheel 1360 Dec 15 11:44 bin
    drwxrwxr-t@ 2 root admin 68 Jan 28 2008 cores
    dr-xr-xr-x 2 root wheel 512 Dec 22 16:22 dev
    lrwxr-xr-x@ 1 root admin 11 Apr 21 2008 etc -> private/etc
    dr-xr-xr-x 2 root wheel 1 Dec 22 16:22 home
    -rw-r--r--@ 1 root wheel 10318880 Nov 24 17:39 mach_kernel
    -rw-r--r--@ 1 root wheel 10768480 Nov 24 17:39 mach_kernel.ctfsys
    dr-xr-xr-x 2 root wheel 1 Dec 22 16:22 net
    drwxr-xr-x@ 6 root wheel 204 Apr 21 2008 private
    drwxr-xr-x@ 66 root wheel 2244 Dec 15 11:44 sbin
    lrwxr-xr-x@ 1 root admin 11 Apr 21 2008 tmp -> private/tmp
    drwxr-xr-x@ 12 root wheel 408 Apr 25 2008 usr
    lrwxr-xr-x@ 1 root admin 11 Apr 21 2008 var -> private/var
  • pianoman1976 Level 1 (100 points)
    We have this ongoing debate in my family over the word "muck". I swear it's not a real word.

    My dad would say, "Don't muck it up"!
  • baltwo Level 9 (62,210 points)
    Your dad's the smart one. Details in[2] and it applies to your recent postings to these forums. It's OK to explore, but unless you've schooled yourself, aimless wanderings amongst your computer's innards will ultimately result in a nonfunctioning machine.
  • pianoman1976 Level 1 (100 points)
    I'm not too sure about "smart" as he was using the term incorrectly as to damage something - like scratching the Cobra parked in the garage. Thanks for the clarification!
  • baltwo Level 9 (62,210 points)
    Ah! The link I posted dropped the [2] portion, which gives you the info for the intransitive verb:

    +a: to engage in aimless activity —usually used with about or around+
    +b: putter , tinker —usually used with about or around <mucking around with his computer>+
    +c: interfere , meddle —usually used with about or around+

    BTW, thanks for the feedback and rewards. Now, stop mucking around with the machine' s innards.
  • Király Level 6 (9,635 points)
    pianoman1976 wrote:
    Is it normal that all downloaded files have wheel group permissions set?

    When a new file is created, the group specified for that file is the same group that is specified in the file's containing folder. The Leopard default is that your home folder and ~/Downloads folders have group:wheel set. So that will propagate down to any new files created therein.
  • V.K. Level 9 (56,110 points)
    The Leopard default is that your home folder and ~/Downloads folders have group:wheel set.

    that's wrong. this is most definitely not the leopard default. no regular user even belongs to wheel by default. the default group for the home directory (and the Downloads folder) is equal to the primary group of the user. all users created in leopard have primary group "staff". all users upgraded from Tiger have primary groups inherited from their private primary groups in Tiger.
  • Francine Schwieder Level 6 (19,045 points)
    As an inveterate mucker about (or should that be muck abouter?), I sympathesize with those who just have to muck about with a computer. But one should really take precautions, all of which I figured out years ago, in Mac OS 7, where you could do a lot of really radical surgery.

    The first principle is to always know at least three ways to boot your computer--as in a startup drive, a second bootable drive, the install disk--and try out all of them before you do anything else.

    Second principle: always have a way to back out of what you did. These days a current Time Machine backup ought to work. But being a bit distrustful of new things on a mission critical function I also have a bootable clone of my current system. Actually, I also have bootable drives containing Tiger and a fairly pristine Leopard install as well. You can never have too many drives.

    Third principle: when tinkering first make a copy of the file/folder you are about to tinker with, and work on the copy. Thus, if you are going to alter a system file, drag it to the Desktop, open that version and edit it. Save your edited version somewhere else (I have a Mods folder where I save such things), then replace the file in the system folder with your edited version and see what happens.... If what happens is unfortunate you can use an alternate boot method, and then put the original version back. Of course, in Leopard things get a bit more complex because of ownership and permissions issues, but it is all still "doable" if one is sufficiently determined. Basic knowledge of UNIX and the Terminal is pretty much essential. A good place to start is here:

    And a good place to look for interesting things to do/modify is MacOSXHints:

    Mucking about without a safety net can lead to very unhappy outcomes.

  • Király Level 6 (9,635 points)
    Oops, sorry, you are right! I was thinking about the staff group. My mistake.
  • pianoman1976 Level 1 (100 points)
    In conclusion I've learned that some of these wheel permissions are indeed not standard. Wheel should not be on my downloads folder. When I remove it- my individual downloads still show wheel permissions.

    This is not a big deal for me, I just had a hunch about it and it seems my hunch is correct. Why and how this is happening is probably a topic more suited for a different forum.
  • KJK555 Level 4 (2,895 points)
    None of the files and folders in your home directory should be root (wheel) owned. User ID should be
    your short user name. The group name should be admin, staff or your user name (if upgraded from

    Use the chgrp command from to change the group. Do NOT use "apply to enclosed"
    option from finder as this may unduly propogate unwanted ACLs as well.

    example terminal command to change group id:
    sudo chgrp -v -R staff ~/
    #will change all file and folders group id to "staff" in user home directory#

  • baltwo Level 9 (62,210 points)
    I stopped watching this topic and missed your detailed and concise description. Well stated. Cheers!
Previous 1 2 3 Next