wheel – UNIX Administratosphere

The Wheel Group: Updated

Working with Ubuntu Server (Lucid Lynx) the wheel group has been changed slightly.

Firstly, there doesn’t seem to be any wheel group at all – not by name. The group is now called root by default, and is enabled the same as before: uncomment the appropriate line in /etc/pam.d/su so it looks like this:

auth required pam_wheel.so

The system uses the root group because that is the group name for group 0, and because there is no group named wheel. However, if you want to maintain the original standard – make the entry look like this instead:

auth required pam_wheel.so group=wheel

Then rename (or duplicate) the group in /etc/group with id 0:

root:x:0:root wheel:x:0:root

This maintains the highest level of compatibility: the group root remains as before, but the name wheel is also available. Having two groups with the same group ID is not typically recommended, but it doesn’t necessarily break anything either as long as the two groups are seen as completely equivalent. The first group in the list will normally be used when names are given for GIDs, but both names will be recognized from the user.

According to the documentation, this is overkill – but it does force the issue and make su work with the actual wheel group rather than a renamed one.

What pam_wheel actually does is search for group wheel first, then if it can’t find that, searches for group 0 (zero) next. It is this configuration that allows the renaming of the wheel group.

Apparently Debian or Ubuntu named the group sudo at one point, now root. The best thing to do – when there is no distinct advantage to change – is to go with the status quo: in doing so, any administrator that comes along will be able to learn and adapt to the system rapidly, leading to quicker completion of administration tasks, simple and complex.

Wheel Group on HP-UX 11i

On HP-UX 11i, it appears that setting up the wheel group has been made easier than ever through the use of PAM and the pam_hpsec module.

To enable the wheel group, make sure that the wheel group does, in fact, exist – you’ll probably have to add it. After adding the wheel group, make yourself a member of it (no sense in getting locked out, right?).

Edit the file /etc/default/security and look for the entry:

# SU_ROOT_GROUP=wheel

Uncomment this line (by removing the first two characters) and save:

SU_ROOT_GROUP=wheel

You’re done! Easy, wasn’t it?

The root account (and toor)

Traditionally, the root account (account 0) is not used for daily tasks. This is widely known; however, this is the reason that root’s home directory was usually / (the root directory) as there was no need for .profile, .login, .Mail, and so forth. The root account is even created under MacOS X with a locked-down password (that is, there is no valid password for root, making it impossible to log in as root).

However, this is most certainly not the case today – and more and more administrators use the root account for many tasks. One common problem is the problem of someone wanting to change the root shell – and then breaking the startup process since some scripts would assume that the shell is the Bourne shell. This was more of a problem under BSD since the standard BSD shell was the C shell, and the startup scripts usually assumed the Bourne shell (which is completely incompatible with the C shell). The toor account (that is, root spelled backwards) was created for this purpose: a person can log in as toor and have the C shell (csh), but not affect the standard startup process. A toor user would still have the userid zero (0) but would for all intents and purposes be the root user.

This would also lead to the possible creation of a specific home directory for the toor user.

In MacOS X, the root user is locked down and no login is possible as root. To access root, the sudo utility must be used as the admin user (which should be the user that installed MacOS X).

The wheel group is also part of this process; using the wheel group can expand the capabilities of some users in order to further reduce the need to actually use the root account as a shell account.

Thus, you can see that there is really no reason to use the root account. But is that going to stop us? Perhaps it should…

Using the Wheel Group in HP-UX (or UNIX in general)

Many versions of UNIX do not support the wheel group at all. Hewlett-Packard’s HP-UX is one of these. The main focus and purpose of a wheel group can be summarized thus: Not everyone should be able to run the su command.

To accomplish this does not require a lot. First, the wheel group must be created. Add the group to the /etc/group file:

wheel:*:0:root,dgd

It is not necessarily required that the wheel group occupies userid 0 – but it is entirely appropriate. Don’t forget to add yourself (your normal userid) to this group. Next step is to check the su command:

# ls -ld `which su`
-r-sr-xr-x 1 root bin 19588 Mar 20 2005 /usr/bin/su

Note that this binary is suid; this must be preserved in order for su to work properly. However, the permissions and group ownership must change in order for the wheel group to work properly. Two things must be changed:

World permissions (“other”) must be revoked
Wheel group members must be able to execute this command

These requirements can be satisfied in this manner:

# chmod 4550 `which su`
# chown root:wheel `which su`

This is only the beginning – but satisfies the initial requirements. The rest is optional, but makes things easier for the administrators in the wheel group. In particular, change the permissions on log files to allow those that are members of the wheel group to read them without having to use switch to root.