Apple Event: May 7th at 7 am PT
Hi
Who can explain to me what are the groups "staff", "system", "admin", I saw "wheel" also, and others
What is their meaning and what is their action ?
Thanks
iMac, Macbook Pro, iPod-nano, iPod-touch, iPhone, Mac OS X (10.6.6)
Thankyou very much for your kind reply. I will most certainly restart this discussion because I think it is a very important one. I understand your valuable points. I hope i can quote you in further discussion on the subject. Thanks again for taking the time to help.
This type of answer, where the person asking the question is told they don't need the information they are requesting, is popular among experienced *nix administrators more than other specialties within the information technology profession. It is inappropriate to tell someone the information they have requested is something they don't need. Decisions about the information any particular person needs to operate a system belong to the person operating the system. I am offended when people tell me I don't need the information I have asked for, especially when they know nothing about me, my background, responsibilities or requirements. When it comes to my Mac, It's my computer, I will do what I want with it. I appreciate warnings and recommendations but not the way it comes from *nix administrators more than any group of professionals I have encountered in any field, inside and outside IT.
It's appropriate to advise people asking about *nix permissions that changing permissions can more easily than not trigger unintended results. It is inappropriate to tell people they don't need to know what you know. How did you find out if that information is unnecessary? Why is it appropriate for you to have that information and not someone else?
I have noticed this type of patronizing attitude and manner of expression among *nix administrators since my first *nix -related assignment, and verified my observations with dozens of colleagues. For reasons worth scientific inquiry and as yet known, unix administrators often encourage one another to condescend.
Now that *nix systems are so widely available, the mysteries of *nix permissions are known by more people. Anyone owning a *nix system, which includes all mac owners, has as much reason as anyone to know every single detail about permissions on their system. Why doesn't cmr&xpg need to know more than what you provided?
Since your question is not marked answered, I am guessing you are still wondering about the osx user groups, "staff", "system", "admin", and "wheel".
Here is what I can tell you about all these groups:
WHEEL - As previously mentioned, the wheel group has more permissions than any other group. I don't know a quick way to have the system show whether being a member of the wheel group provides ALL the permissions that the root user has, but I can tell you that on my mac, the only member of WHEEL is root. That information is provided by entering this into the command line:
dscacheutil -q group -a name wheelSYSTEM - My installation of macOS Sierra has no group and no user named system.
ADMIN - users in this group are:
root, test. <default admin setup when osx is first run after installation>
A couple other groups that you might find of interest:
STAFF - members of this group can do most but not all the things unix can do . members of the staff group are:
root, <default admin setup when osx is first run after installation>
I am not sure, but I think the staff group can do almost anything the root account can do as a result of the sudo arrangement.
The sudo arrangement provides most superuser privileges to non superuser accounts via a sudo prefix on commands entered at the command line. Most descriptions falsely state that sudo provides all the privileges of the root user. Sudo works differently in different kinds of *nix and it is complicated.
DAEMON - in order for a daemon to run, the daemon group is going to need to have access to the file, to read and execute it. The only member of the daemon group is root, so why there is a separate group for daemon and why wheel is not used by convention, permissions are arranged defensively, that is, to limit damage if someone gets unauthorized access to a group or account. The idea is that a daemon can do to the system only what the daemon group can do. Since the only member of the group is the root user, the defense here would apply only if someone got to be a member of the daemon group without being the root user. In normal operation, it doesn't matter, but a lot of these groups and permissions are setup to protect the system from abnormal operation, where something is going wrong. I can tell you without looking that the daemon group has permissions that do not extend to all parts of the system. That is the general purpose for all the groups.
BACKGROUND
I can see two approaches to answering your question. One approach is to provide a rationale for the the existence of each of these groups. My first take on these groups is they all have powerful permissions that allow near, but not complete control of the system. That got me wondering why not just have one group instead of three? There must be a good reason, so what is the reason for their differences and then what are the details of of their differences? I will try answering that in a moment, but I can tell you know, I do not have a complete answer to that.
The other approach is to just look at exactly what permissions each of these groups have, especially what permissions each does NOT have, since all three of these groups have at least almost-all the permissions available on a *nix system. Understanding the permissions not granted to each of these groups is important to understanding why there are three groups instead of one for system admin. I will tell you what I know about the exact permissions each of these groups has.
The first thing in my mind to tackling this is make sure I have a handle on how permissions work in *nix. If you know that, and you can login as the root user on your system, which you can do on your mac, then you can just ask the system what permissions these groups have and which users are members of these groups. The catch on this the system's response is kind of complicated.
The root user is a member of the following groups (this information is listed as a result of typing this into the command line: groups root):
Tracking down the permissions and other members of all those groups is going to a chore. I can envision a speadsheet with the groups wheel, admin, and staff across the top and a long list of system directories and files indicating permissions for each group in all the directories and files and from that trying to interpret intention for having three groups instead of one.
The default administrator on a mac, the account setup when the is first setup, is in these groups this information is listed as a result of typing this into the command line: groups <my username>): This basically is the mac owner's account
That looks like the default admin account is not in these groups that root is in:
i am going to cut this off here, because this is getting kind of long and really addressing all the whys for the groups you asked about would require clarity on all these closely-related groups as well. My hope is what I have written will provide something that makes sense and maybe leads to other questions and conversation in this forum.
If there is anything else you would like to know or have issue with anything I have written, please do not hesitate to let me know and I will respond the best I can.
What are the groups of Mac OS