Hi
Who can explain to me what are the groups "staff", "system", "admin", I saw "wheel" also, and others
What is their meaning and what is their action ?
Thanks
iMac, Macbook Pro, iPod-nano, iPod-touch, iPhone, Mac OS X (10.6.6)
Since your question is not marked answered, I am guessing you are still wondering about the osx user groups, "staff", "system", "admin", and "wheel".
Here is what I can tell you about all these groups:
WHEEL - As previously mentioned, the wheel group has more permissions than any other group. I don't know a quick way to have the system show whether being a member of the wheel group provides ALL the permissions that the root user has, but I can tell you that on my mac, the only member of WHEEL is root. That information is provided by entering this into the command line:
dscacheutil -q group -a name wheelSYSTEM - My installation of macOS Sierra has no group and no user named system.
ADMIN - users in this group are:
root, test. <default admin setup when osx is first run after installation>
A couple other groups that you might find of interest:
STAFF - members of this group can do most but not all the things unix can do . members of the staff group are:
root, <default admin setup when osx is first run after installation>
I am not sure, but I think the staff group can do almost anything the root account can do as a result of the sudo arrangement.
The sudo arrangement provides most superuser privileges to non superuser accounts via a sudo prefix on commands entered at the command line. Most descriptions falsely state that sudo provides all the privileges of the root user. Sudo works differently in different kinds of *nix and it is complicated.
DAEMON - in order for a daemon to run, the daemon group is going to need to have access to the file, to read and execute it. The only member of the daemon group is root, so why there is a separate group for daemon and why wheel is not used by convention, permissions are arranged defensively, that is, to limit damage if someone gets unauthorized access to a group or account. The idea is that a daemon can do to the system only what the daemon group can do. Since the only member of the group is the root user, the defense here would apply only if someone got to be a member of the daemon group without being the root user. In normal operation, it doesn't matter, but a lot of these groups and permissions are setup to protect the system from abnormal operation, where something is going wrong. I can tell you without looking that the daemon group has permissions that do not extend to all parts of the system. That is the general purpose for all the groups.
BACKGROUND
I can see two approaches to answering your question. One approach is to provide a rationale for the the existence of each of these groups. My first take on these groups is they all have powerful permissions that allow near, but not complete control of the system. That got me wondering why not just have one group instead of three? There must be a good reason, so what is the reason for their differences and then what are the details of of their differences? I will try answering that in a moment, but I can tell you know, I do not have a complete answer to that.
The other approach is to just look at exactly what permissions each of these groups have, especially what permissions each does NOT have, since all three of these groups have at least almost-all the permissions available on a *nix system. Understanding the permissions not granted to each of these groups is important to understanding why there are three groups instead of one for system admin. I will tell you what I know about the exact permissions each of these groups has.
The first thing in my mind to tackling this is make sure I have a handle on how permissions work in *nix. If you know that, and you can login as the root user on your system, which you can do on your mac, then you can just ask the system what permissions these groups have and which users are members of these groups. The catch on this the system's response is kind of complicated.
The root user is a member of the following groups (this information is listed as a result of typing this into the command line: groups root):
Tracking down the permissions and other members of all those groups is going to a chore. I can envision a speadsheet with the groups wheel, admin, and staff across the top and a long list of system directories and files indicating permissions for each group in all the directories and files and from that trying to interpret intention for having three groups instead of one.
The default administrator on a mac, the account setup when the is first setup, is in these groups this information is listed as a result of typing this into the command line: groups <my username>): This basically is the mac owner's account
That looks like the default admin account is not in these groups that root is in:
i am going to cut this off here, because this is getting kind of long and really addressing all the whys for the groups you asked about would require clarity on all these closely-related groups as well. My hope is what I have written will provide something that makes sense and maybe leads to other questions and conversation in this forum.
If there is anything else you would like to know or have issue with anything I have written, please do not hesitate to let me know and I will respond the best I can.
This type of answer, where the person asking the question is told they don't need the information they are requesting, is popular among experienced *nix administrators more than other specialties within the information technology profession. It is inappropriate to tell someone the information they have requested is something they don't need. Decisions about the information any particular person needs to operate a system belong to the person operating the system. I am offended when people tell me I don't need the information I have asked for, especially when they know nothing about me, my background, responsibilities or requirements. When it comes to my Mac, It's my computer, I will do what I want with it. I appreciate warnings and recommendations but not the way it comes from *nix administrators more than any group of professionals I have encountered in any field, inside and outside IT.
It's appropriate to advise people asking about *nix permissions that changing permissions can more easily than not trigger unintended results. It is inappropriate to tell people they don't need to know what you know. How did you find out if that information is unnecessary? Why is it appropriate for you to have that information and not someone else?
I have noticed this type of patronizing attitude and manner of expression among *nix administrators since my first *nix -related assignment, and verified my observations with dozens of colleagues. For reasons worth scientific inquiry and as yet known, unix administrators often encourage one another to condescend.
Now that *nix systems are so widely available, the mysteries of *nix permissions are known by more people. Anyone owning a *nix system, which includes all mac owners, has as much reason as anyone to know every single detail about permissions on their system. Why doesn't cmr&xpg need to know more than what you provided?
kurt188 wrote:
You should ignore those who chime in only to criticize others because they can't answer the question themselves and didn't bother to find the information first.
Words to live by.
That is explained in that document, if you read the whole thing. If not, I would urge you to do that. If you're looking for granular detail on all the possible uses of those groups, you're not likely to find it; it's a general guide, since assigning things to specific groups is left to Apple for the OS, and application developers.
cmr&xpg wrote:
But what I'm looking for is information and explanation about specific groups like "Wheel", "System", "Admin" etc...
and what role they have.
Their role is to control access to files & procedures to improve the security, privacy, & robustness of the OS.
"System" is the root user with almost unlimited access. Accordingly, it is a member of most groups. "Wheel" is a group that has special privileges that are basically a subset of system's. "Admin" is similar, but with far fewer privileges.
cmr&xpg wrote:
But what I'm looking for is information and explanation about specific groups like "Wheel", "System", "Admin" etc...
and what role they have.
Although I can't find one document that puts this all together, do a search using "OS X groups root, wheel, admin, staff." You'll find some helpful links which will give you the basic idea. Ignore any discussion of NetInfo Manager, which has been dropped beginning with Leopard and now Snow Leopard.
You really don't need to worry about these groups.
Thhey are a carryover from the UNIX systems that have been used for decades in institutions like universities, where there may be dozens or hundreds of different groups set up by the system administrators, to manage thousands of individual users with thousands of computers.
On a home computer running OS X, there still are the traditional groups like system, staff, wheel, etc. They re used by the internal workings of the system and you really don't need to worry about them. DO NOT try to change them, delete them, add or remove users to/from them, etc.
The only groups you really need to concern yourself with are the admin group, and any custom groups you choose to make for the purposes of sharing files between your account and any other local accounts.
The root user is the superuser with unlimited privileges.
Users in the admin group can do many things to administer the system, and can elevate themselves to root (unlimited privileges) simply by authenticating with their own password.
Users who are not in the admin group can only modify files in their own home folders. They cannot delete or change any other user's files, nor can they modify any global system settings.
That's all you really need to know.
cmr&xpg wrote:
But what I'm looking for is information and explanation about specific groups like "Wheel", "System", "Admin" etc... and what role they have.
You won't find explanations of that sort in the Apple KB doc you were referred to (because, contrary to what you've been told, they aren't there), and probably not in any KB doc.
It's one of those, "if you don't know, you don't need to know" things. They're not specific to Mac OS X, but come from its Unix foundation; for the average user, they're mostly trivial, and in part of only historic value.
For instance, the "wheel" group (the name comes from the colloquial phrase "big wheel") designated a user elite whose members could assume root privileges with the su command. Since Tiger, this is no longer possible in Mac OS X, so "wheel" is now essentially the same thing as "admin".
All you need to know is that there are three levels -- the root user, who can do anything, including completely destroy the OS; the admin users, who can do much of what the root user can, but, in theory, should not be able to destroy the OS; and the rest (aka οἱ πολλοί), who can work with, but (in theory) not damage the OS. (There is actually a fourth level, the nobody user, who can do very little indeed, but… you see how quickly it becomes complicated?)
If you want all the gory and historical details, you can google for it, check Wikipedia
<http://en.wikipedia.org/wiki/Wheel_(Unix_term)>
or try to find a Unix (particularly BSD) history or manual with a good historical section.
You can also find a few skimpy details in Apple's Developer library.
HTH
Despite what fane_j claims, the document I referred you to does contain the information I mentioned. It does not contain any detailed explanation that you seem to be seeking.
You should ignore those who chime in only to criticize others because they can't answer the question themselves and didn't bother to find the information first.
R C-R wrote:
"System" is the root user with almost unlimited access.
To add to this, keep in mind that "System" is the GUI's (Finder's) name for (the) root (user). There isn't really either a user or a group named "System" or "system"; and the "sys" group is something else.
You really need to use Terminal if you want to get deeper into this. The groups command, used by other Unix variants, is obsolete; you can use the id and dsmemberutil commands to check groups to which a specific user belongs, and related information.
Other Unix variants make use of </etc/group>, but, to my knowledge, this is not used by Mac OS X. I suppose it is possible to list all members of a group with dscl, but I haven't looked into it.
When someone tells me you do not need to worry about such things. I get worried. There is very little information available on these USER groups and their function. We never had such things on the early macintosh computers. The OS was a very transparent system in the 80's. I left the mac world for ten years because I had no money. I have to say what I see now on the Macbook Pro worries me. I would just like some very clear info on what these user groups mean. Can someone please help? I try changing these groups and they just come back again. Are they being reinstated by my Carbon cloner?. I have just noted that my external drive seems to chew a lot longer than is normal when connected to the internet. It will do a clone and then frequently play around for 20 minutes afterwards. I do not like it.
Thanks for the help, anyone that really wants to tell me about these USER groups and why they are on my hard drives. I do not understand why , I MYSELF, cannot restrict access to ME.
clbobman wrote:
Also to reiterate. I am not part of a NETWORK. I live at home with my wife. Why can I not just be ONE USER! Is it possible?
Hello, clbobman!
Please note that is topic has been dormant for two years. Since few people are likely to still be following it, it would be better to start a new topic of your own if you need help with this, preferably in the forum for the OS version you are using.
With that out of the way, please be aware that you are most certainly part a network. It is the Internet, the largest one on the planet! As was mentioned by several contributors back when this topic was active, users & groups exist largely to protect your privacy & security from the millions & millions of other users who share that vast network with you.
Unfortunately, an ever increasing number of those users are criminals who would like nothing better than for you to run an OS that provided little or nothing to prevent them from taking over control of your computer remotely, stealing the personal & private information you have stored on it & using it however they want, installing software to do their bidding instead of yours, & so on. Even if they aren't completely successful, the attack may leave your system unstable or sluggish, destroy some or all of your document files, or even corrupt the file system so badly that you would have to erase everything & start fresh with a new installation of the OS to recover.
With just one user who has unrestricted access to control everything, that isn't very hard to do. To prevent this (& to prevent users from accidentally doing things with the same result), like in every other modern OS, OS X includes a complex system of permissions to restrict & control access to various parts of the system. In OS X, this is implemented as an abstracted system of users & groups, each given permissions to perform only specific kinds of tasks.
So for example, when a human user like you or me asks the Mac to do something, that request may be handed off to one or more non-human users, each able to handle only part of that task, & relying (like us) on other non-human users to do what it can't.
This compartmentalization makes it very difficult to take over control of the Mac & force it to do things it should not do, whether by accident or intent. It also makes it difficult to understand exactly how it all works. Fortunately, as has already been said, as users we don't need to unless we are intent on changing it. And if we are going to do that, we better have a very good understanding of how it all works. (Otherwise, it is very likely we will just break things, cause data loss, or worse.)
If understanding all that is your goal, Apple's developer web site is full of info you can study, & there are quite a few books on the subject. But be warned, this is not simple stuff. It can take months or years to absorb it all.
That's why most of us leave it to the programmers & just use our Macs to do the stuff we want without worrying too much about how it does that. 🙂
Thankyou very much for your kind reply. I will most certainly restart this discussion because I think it is a very important one. I understand your valuable points. I hope i can quote you in further discussion on the subject. Thanks again for taking the time to help.
I saw "wheel" also, and others
There are others alright. More fun with groups! I think nogroup is the best of the lot.
Read this document for an overview: https://support.apple.com/kb/HT2963
What are the groups of Mac OS
