Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Wheel Group

I have noticed a trend that when on very seldom occasion some strangeness is going on with my system - the wheel group keeps popping up. This group seems to have unrestricted access - therefore I associate it as being a threat. I'm wondering what the normal ops standard is with this group. Is it normal to see this group throughout my system?

Is it normal that all downloaded files have wheel group permissions set?

"One cannot log into a machine remotely via telnet as root (unless root has no password), and therefore users who wish to obtain root access remotely must first log in as a normal user and then use su to gain root access. By restricting wheel access you can therefore reduce the probability that a compromised account will result in an intruder obtaining privileged access via the network."

How do I restrict wheel access?

Message was edited by: pianoman1976

iMac 2.4 GHz Intel Core 2 Duo, 4 GB SDRAM, Mac OS X (10.5.6)

Posted on Jan 3, 2009 11:42 AM

Reply
39 replies

Jan 3, 2009 11:48 AM in response to pianoman1976

Is it normal to see this group throughout my system?


Yes.

How do I restrict wheel access?


Ensure that all administrator accounts on the machine have strong passwords. In most UNIX variants, someone has to be a member of the wheel group to be able to su to root. Mac OS X grants that to all administrator accounts.

(39524)

Jan 3, 2009 12:06 PM in response to pianoman1976

Is it normal that all downloaded files have wheel group permissions set?

There are certain files that I cannot remove the wheel group from. This confuses me as to why I'm locked out from my own system. I don't feel the wheel group needs to be on /.vol. Attempting to change the permissions in gui is useless - nothing will budge. Terminal doesn't work either:

ryans-imac-2:~ Ryan$ sudo chmod -RN /.vol
sudo: /private/etc/sudoers is mode 0604, should be 0440
ryans-imac-2:~ Ryan$ postdrop: warning: unable to look up public/pickup: No such file or directory

I know I shouldn't be taking full control of certain files like this. I was just curious to see why and how wheel seems to be so persistent on some of these files. I don't see any reason why wheel needs to be here.

I have a separate system that I keep off the network. On that system I don't have wheel popping up like it does on this system. I assume it's network remote access related.

Message was edited by: pianoman1976

Jan 3, 2009 1:13 PM in response to pianoman1976

wheel is the normal group for most root-level items. Quit mucking with things and you'll be fine. This is what's on my machines:

$ ls -Al /
total 42229
-rw-r--r-- 1 username staff 21508 Jan 3 11:49 .DS_Store
drwx------ 3 root admin 102 Mar 3 2008 .Spotlight-V100
drwxrwxrwt@ 3 username admin 102 Apr 21 2008 .TemporaryItems
d-wx-wx-wt 2 root admin 68 Dec 19 18:47 .Trashes
-rw-r--r--@ 1 username admin 204565 Jul 9 10:57 .VolumeIcon.icns
-rw-r--r-- 1 root admin 0 Apr 20 2008 .com.apple.timemachine.supported
drwx------@ 30 username staff 1020 Jan 2 15:59 .fseventsd
-rw------- 1 root wheel 262144 Apr 20 2008 .hotfiles.btree
drwxr-xr-x@ 2 root wheel 68 Nov 25 2007 .vol
drwxrwxr-x@ 101 root admin 3434 Dec 15 11:45 Applications
-rw-r--r--@ 1 root admin 4608 Sep 12 15:05 Desktop DB
-rw-r--r--@ 1 root admin 2 Apr 21 2008 Desktop DF
drwxrwxr-x@ 17 root admin 578 Nov 25 21:03 Developer
drwxrwxr-t+ 70 root admin 2380 Dec 15 23:20 Library
drwxr-xr-x@ 2 root wheel 68 Jan 28 2008 Network
drwxr-xr-x 4 root wheel 136 Dec 15 11:48 System
drwxr-xr-x 7 root admin 238 Jan 2 14:04 Users
drwxrwxrwt@ 9 root admin 306 Jan 1 22:19 Volumes
drwxr-xr-x@ 40 root wheel 1360 Dec 15 11:44 bin
drwxrwxr-t@ 2 root admin 68 Jan 28 2008 cores
dr-xr-xr-x 2 root wheel 512 Dec 22 16:22 dev
lrwxr-xr-x@ 1 root admin 11 Apr 21 2008 etc -> private/etc
dr-xr-xr-x 2 root wheel 1 Dec 22 16:22 home
-rw-r--r--@ 1 root wheel 10318880 Nov 24 17:39 mach_kernel
-rw-r--r--@ 1 root wheel 10768480 Nov 24 17:39 mach_kernel.ctfsys
dr-xr-xr-x 2 root wheel 1 Dec 22 16:22 net
drwxr-xr-x@ 6 root wheel 204 Apr 21 2008 private
drwxr-xr-x@ 66 root wheel 2244 Dec 15 11:44 sbin
lrwxr-xr-x@ 1 root admin 11 Apr 21 2008 tmp -> private/tmp
drwxr-xr-x@ 12 root wheel 408 Apr 25 2008 usr
lrwxr-xr-x@ 1 root admin 11 Apr 21 2008 var -> private/var

Jan 3, 2009 2:15 PM in response to pianoman1976

Ah! The link I posted dropped the [2] portion, which gives you the info for the intransitive verb:

+a: to engage in aimless activity —usually used with about or around+
+b: putter , tinker —usually used with about or around <mucking around with his computer>+
+c: interfere , meddle —usually used with about or around+

BTW, thanks for the feedback and rewards. Now, stop mucking around with the machine' s innards. 🙂

Jan 3, 2009 2:46 PM in response to pianoman1976

pianoman1976 wrote:
Is it normal that all downloaded files have wheel group permissions set?


When a new file is created, the group specified for that file is the same group that is specified in the file's containing folder. The Leopard default is that your home folder and ~/Downloads folders have group:wheel set. So that will propagate down to any new files created therein.

Jan 3, 2009 3:39 PM in response to Király

The Leopard default is that your home folder and ~/Downloads folders have group:wheel set.

that's wrong. this is most definitely not the leopard default. no regular user even belongs to wheel by default. the default group for the home directory (and the Downloads folder) is equal to the primary group of the user. all users created in leopard have primary group "staff". all users upgraded from Tiger have primary groups inherited from their private primary groups in Tiger.

Jan 3, 2009 4:37 PM in response to baltwo

As an inveterate mucker about (or should that be muck abouter?), I sympathesize with those who just have to muck about with a computer. But one should really take precautions, all of which I figured out years ago, in Mac OS 7, where you could do a lot of really radical surgery.

The first principle is to always know at least three ways to boot your computer--as in a startup drive, a second bootable drive, the install disk--and try out all of them before you do anything else.

Second principle: always have a way to back out of what you did. These days a current Time Machine backup ought to work. But being a bit distrustful of new things on a mission critical function I also have a bootable clone of my current system. Actually, I also have bootable drives containing Tiger and a fairly pristine Leopard install as well. You can never have too many drives.

Third principle: when tinkering first make a copy of the file/folder you are about to tinker with, and work on the copy. Thus, if you are going to alter a system file, drag it to the Desktop, open that version and edit it. Save your edited version somewhere else (I have a Mods folder where I save such things), then replace the file in the system folder with your edited version and see what happens.... If what happens is unfortunate you can use an alternate boot method, and then put the original version back. Of course, in Leopard things get a bit more complex because of ownership and permissions issues, but it is all still "doable" if one is sufficiently determined. Basic knowledge of UNIX and the Terminal is pretty much essential. A good place to start is here:

http://www.osxfaq.com/Tutorials/LearningCenter/index.ws

And a good place to look for interesting things to do/modify is MacOSXHints:

http://www.macosxhints.com/

Mucking about without a safety net can lead to very unhappy outcomes.
Francine

User uploaded file
Francine
Schwieder

Jan 9, 2009 10:47 AM in response to pianoman1976

In conclusion I've learned that some of these wheel permissions are indeed not standard. Wheel should not be on my downloads folder. When I remove it- my individual downloads still show wheel permissions.

This is not a big deal for me, I just had a hunch about it and it seems my hunch is correct. Why and how this is happening is probably a topic more suited for a different forum.

Jan 9, 2009 12:10 PM in response to pianoman1976

None of the files and folders in your home directory should be root (wheel) owned. User ID should be
your short user name. The group name should be admin, staff or your user name (if upgraded from
Tiger).

Use the chgrp command from terminal.app to change the group. Do NOT use "apply to enclosed"
option from finder as this may unduly propogate unwanted ACLs as well.

example terminal command to change group id:
sudo chgrp -v -R staff ~/
#will change all file and folders group id to "staff" in user home directory#

Kj

Wheel Group

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.