129

I recently reinstalled iTunes and I noticed something peculiar. The "original" version of iTunes has a user in the permissions known as "wheel" that is set to "Read Only". I dragged this version of iTunes to the trash and installed a new copy, and when I look at the properties for iTunes it no longer says wheel, but rather just admin.

Here is a screenshot with the new version (left) and the old version (right):

enter image description here

What is the "wheel" user"? How is it set (I can't seem to set it in the GUI)? Why would the permissions be different now? It's not a problem, I'm just terribly curious.

Gaff
  • 18,569
  • 15
  • 57
  • 68
ralphthemagician
  • 1,499
  • 2
  • 11
  • 8

4 Answers4

125

Some color:

Mac OS X has roots in BSD UNIX, a.k.a. the UNIX that came out of UC Berkeley. They had a group of trusted people that could become superuser by using the su command. So they coded their UNIX to only allow people in this specific group to become superuser using su. They chose the groupname 'wheel', supposedly reference to other systems that had WHEEL, possibly a reference to being a 'big wheel'

It's less important now that you have the GUI authorization popups and sudo. You can use sudo without being in wheel group I believe.

As far as how to change to wheel, chgrp should be your friend, once you're root.

Spiff
  • 101,729
  • 17
  • 175
  • 229
Rich Homolka
  • 31,057
  • 6
  • 55
  • 80
  • 8
    +1 Good answer. I'd add the note that wheel is group ID 0, just like root is user ID 0. You're right that, you don't have to be wheel to sudo. Mac OS X uses the group "admin" (group ID 80) as the default sudoers group. When you check the box to make an account an admin account, it gets added to the admin group. – Spiff Sep 23 '10 at 17:42
  • chgrp operates on ownership files, newgrp changes the user to the group. newgrp enables (read/write/execute) use of multiple group memberships, one at the time. – bbaassssiiee Oct 23 '14 at 03:51
  • 1
    I just tried to sudo from a non-admin account and that did not work. However... you can **su ** and once you've done that you can sudo as you want. – JL Peyret Mar 17 '16 at 06:42
  • If it doesn't work you might want to try `sudo -u `. But for my experience the password to use is the one for the logged user rather than the password of the specified (or default) admin-user (supposedly *root* ?) – Kamafeather Aug 28 '19 at 10:07
32

wheel is the system administrator group in BSD, much like root is the system administrator user.

It is common to add sudo permissions to users in the wheel group.

Broam
  • 3,984
  • 18
  • 20
12

wheel is the group used by OSX for the 'system' /Applications. It was present since at least 1989-03-13 in the source of BSD Unix.

Whether the connotation is 'big wheel' or 'wheel of fortune' is unclear from my sources, but membership of wheel is special.

In OS X PAM is used to set the policy that su(1) will use. In particular, by default only users in the admin or wheel groups can switch to UID 0 (root). This group requirement may be changed by modifying the pam_group section of /etc/pam.d/su. See pam_group(8) for details on how to modify this setting.

Clashsoft
  • 113
  • 6
bbaassssiiee
  • 1,393
  • 1
  • 11
  • 17
6

The "wheel" connotation refers to "being at the steering wheel", or in control of the bridge of a ship.

I'll try to find my source for this but I'm 100% sure.

cocoonkid
  • 61
  • 1
  • 1
  • 3
    This sounds much more likely than the accepted answer (i.e., a "big wheel"). Users of the `wheel` group aren't _actually_ `root` but they can "take the wheel" for commands that need privileged access. – Erik Nomitch Jun 14 '19 at 16:07