Wheel Group originated in the TENEX OS, distributed, widely used in 1960s. Wheel Group has wheel account, has additional system privileges. UNIX Operating System and Unix-Like Operating Systems including (not all) GNU Linux, there are some differences. It must be noted that; GNU su' does not support the wheel’ group. This is official text :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | Why GNU `su' does not support the `wheel' group =============================================== (This section is by Richard Stallman.) Sometimes a few of the users try to hold total power over all the rest. For example, in 1984, a few users at the MIT AI lab decided to seize power by changing the operator password on the Twenex system and keeping it secret from everyone else. (I was able to thwart this coup and give power back to the users by patching the kernel, but I wouldn't know how to do that in Unix.) However, occasionally the rulers do tell someone. Under the usual `su' mechanism, once someone learns the root password who sympathizes with the ordinary users, he or she can tell the rest. The "wheel group" feature would make this impossible, and thus cement the power of the rulers. I'm on the side of the masses, not that of the rulers. If you are used to supporting the bosses and sysadmins in whatever they do, you might find this idea strange at first. |
Basics on Wheel Group in UNIX and Unix-Like OS
GNU Linux systems do not enable the Wheel Group by default. FreeBSD, OpenBSD, NetBSD, Apple OS X and all UNIX OS; however has Wheel Group by default. In some Linux distributions like Gentoo Linux alternative implementations maintain these requirements.
Because of the migration of system developers TENEX/TOPS-20 Unix , the term was adopted by the Unix community. In several of these systems the command “su”can be used to gain the root access. Anticipating misuse, some system administrators only allow access the command by certain groups, often identified as wheel, indicating a higher level of confidence. In a GNU Linux is not necessary that a user is in the wheel group to use the su command, this is mainly for philosophical reasons.
More Information on Wheel Group and Practical Part
Modern Unix implementations generally include a security protocol that requires a user be a member of the wheel user privileges group in order to gain superuser access to a machine by using the su command. When a server had to be maintained at a higher level than the day-to-day system administration, root rights were often required. The Wheel Group was used to create a pool of user accounts that were allowed to get that level of access to the server.
---
To check yourself on OS X 10.9, open the group file in nano text editor :
1 | nano etc/group |
This is the screenshot :
For Linux : Most GNU Linux systems, come without wheel groups configured and implemented. However, a wheel group implementation requires no special effort. The basic set up, as it was in the beginning. Create a wheel group in /etc/groups or /etc/groups. Change the permissions of the su command so that only those in the wheel group may run it.
You can add yourself to wheel when creating your account using vigr or nano or vi to edit the file /etc/group; add your username to the end of the line starting with wheel :
1 | wheel::10:root,alien |
visudo allows you to tailor the /etc/sudoers file which determines who may run what commands using sudo. On UNIX the same file can be edited using :
1 | sudo nano /etc/sudoers |
Another interesting file on GNU Linux is :
/etc/suauth
Can be opened with :
1 | sudo nano /etc/suauth |
For not being member of wheel implies that one will not be able to use su to get a root access. A sample suauth file is :
1 2 3 4 5 6 7 8 9 10 11 | # sample /etc/suauth file # # A couple of privileged usernames may # su to root with their own password. # root:alien:OWNPASS # # Anyone else may not su to root unless in # group wheel. This is how BSD does things. # root:ALL EXCEPT GROUP wheel:DENY |
The same kind of file exists on UNIX (BSD variants and OS X) as /etc/pam.d/su.
DO NOT Edit any file without knowing theory in details. Wrong editing can result in buffer overflow/buffer overrun.
