The wheel Group
19 July 2007
The wheel group is, perhaps, not widely used today, or is seen as “archaic” and irrelevant. Nothing could be further from the truth.
The wheel group is a group which limits the number of people who are able to su to root. This usually consists of a group named “wheel” and a set of users that are permitted to use the utility ’su’ in order to change to root.
Many systems, especially either commercial systems or Linux systems, come without wheel groups configured and implemented. At least one Linux distribution, comes with wheel groups preconfigured but not active. However, all or nearly all BSD based systems will come with the wheel group installed and set up.
However, at its simplest, a wheel group implementation requires no special set up. The basic set up, as it was in the beginning, was to do the following:
- Create a “wheel” group in /etc/groups
- Change the permissions of the “su” command so that only those in the “wheel” group may run it.
That’s all there is to it. Many su implementations, however, added internal support for the wheel group, perhaps with logs kept and a more informative refusal message explaining why su would not run (for those not in the wheel group).
Perhaps one reason that the wheel group is not widely used may have something to do with the GNU project. The GNU implementation of su has this in its info page:
Why GNU `su' does not support the `wheel' group =============================================== (This section is by Richard Stallman.) Sometimes a few of the users try to hold total power over all the rest. For example, in 1984, a few users at the MIT AI lab decided to seize power by changing the operator password on the Twenex system and keeping it secret from everyone else. (I was able to thwart this coup and give power back to the users by patching the kernel, but I wouldn't know how to do that in Unix.) However, occasionally the rulers do tell someone. Under the usual `su' mechanism, once someone learns the root password who sympathizes with the ordinary users, he or she can tell the rest. The "wheel group" feature would make this impossible, and thus cement the power of the rulers. I'm on the side of the masses, not that of the rulers. If you are used to supporting the bosses and sysadmins in whatever they do, you might find this idea strange at first.
Is it any wonder that GNU/Linux systems don’t enable the wheel group by default? FreeBSD, however, does use the wheel group by default – as does OpenBSD and NetBSD.
Entry Filed under: BSD, FreeBSD, MacOS X, OpenBSD, Red Hat, Security, Solaris, UNIX, Wheel Group. .
9 Comments Add your own
Leave a Comment
Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>
Trackback this post | Subscribe to the comments via RSS Feed
1.
Anonymous | 13 August 2008 at 7:52 am
I have noticed that the or a “wheel” group has been reading and writing data off my computer. I have also noticed that other things have gone on with my computer as well such as two proxies set up of which were not authorized. There has also been information from this computer used to write stories and music from information gathered. Which does not give me as the author free reign to write/ compose or sketch on my computer without someone else using the information. Now, I know this sounds impossible I have been told this is impossible but it isn’t. So much for the security programs offered for computers that people spend vast amts of money on.
So, you SEE, this by now has probably already been read and written as I type this for all I know….perhaps I need to bring up the activity monitor and check that out.
Have a lovely day.
I
2.
ddouthitt | 14 August 2008 at 4:00 pm
As you noticed, it is not impossible for your computer to be compromised (as we call it). If someone is determined enough, any computer can be taken over by someone else.
The best you can do is to keep your system updated and run checks for viruses, etc. on a regular basis. If you are an end user who wants a system that requires no updating or patching, you won’t find one.
If you are a user that wants a system that is easy to manage, and that has a good record of updates and of security, I would recommend any one of the following: Red Hat Workstation, PC-BSD, OpenBSD, MacOS X… Most systems require additional configuration to be the most secure; OpenBSD does not – and perhaps, neither does MacOS X.
That is why people spend money on computer security experts – and “tiger teams” to break in – and on Chief Security Officers of companies… instead of just on programs.
3.
Marcus | 29 August 2008 at 9:42 am
Another one of his alarmingly failed “power to the people” lapses. I’ve grown accustomed to them.
4.
kace | 4 September 2008 at 9:44 am
Fascinating historical note.
The wheel group is just common sense. You don’t want non-privileged local users to be able to just start guessing at the root password. And, if all your network daemons are running as a non-root user (as they should be), then the wheel group makes another hurdle to block a hacker who may get local access through a flawed network server. … “wheel” is just one more important layer of the security onion.
5.
hernan | 4 November 2008 at 9:44 pm
Sometimes, when we talk about Wheel group, we`re talking about the famous “circle of thrust”, that makes sense to me, it’s common sense that you at first sight will see, which users does/ or doesn’t have security capabilities.
6. What is ‘wheel̵&hellip | 10 March 2009 at 8:34 am
[...] even bother to find out. But the aforementioned article made me curious. So off to Google. The wheel Group was the one I was looking for. According to it, wheel is a special group which in conjunction with [...]
7.
aguy | 14 March 2009 at 5:20 pm
thanks! after reading this, I have decided I do not want a ‘wheel’ group.
8. Hummy: Wheel Group | 6 April 2009 at 5:21 am
[...] http://administratosphere.wordpress.com/2007/07/19/the-wheel-group/ page_revision: 0, last_edited: 1239015971|%e %b %Y, %H:%M %Z (%O ago) edittags history files print site tools+ options edit sections append backlinks view source parent block rename delete help | terms of service | privacy | report a bug | flag as objectionable Hosted by Wikidot.com — get your free wiki now! Unless stated otherwise Content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License Click here to edit contents of this page. Click here to toggle editing of individual sections of the page (if possible). Watch headings for an “edit” link when available. Append content without editing the whole page source. Check out how this page has evolved in the past. If you want to discuss contents of this page – this is the easiest way to do it. View and manage file attachments for this page. A few useful tools to manage this Site. See pages that link to and include this page. Change the name (also URL address, possibly the category) of the page. View wiki source for this page without editing. View/set parent page (used for creating breadcrumbs and structured layout). Notify administrators if there is objectionable content in this page. Something does not work as expected? Find out what you can do. General Wikidot.com documentation and help section. Wikidot.com Terms of Service – what you can, what you should not etc. Wikidot.com Privacy Policy. _uacct = “UA-4911621-1″; urchinTracker(); _uff = false; _uacct = “UA-68540-5″; _udn=”wikidot.com”; urchinTracker(); _qoptions={ qacct:”p-edL3gsnUjJzw-” }; [...]
9.
fabian | 20 May 2009 at 5:05 am
you need to uncomment the line
# Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL
In order to allow the wheel users to execute the commands
thanks: