What is group wheel in linux

The wheel Group

The wheel group is, perhaps, not widely used today, or is seen as “archaic” and irrelevant. Nothing could be further from the truth.

The wheel group is a group which limits the number of people who are able to su to root. This usually consists of a group named “wheel” and a set of users that are permitted to use the utility ‘su’ in order to change to root.

Many systems, especially either commercial systems or Linux systems, come without wheel groups configured and implemented. At least one Linux distribution, comes with wheel groups preconfigured but not active. However, all or nearly all BSD based systems will come with the wheel group installed and set up.

However, at its simplest, a wheel group implementation requires no special set up. The basic set up, as it was in the beginning, was to do the following:

1. Create a “wheel” group in /etc/groups
2. Change the permissions of the “su” command so that only those in the “wheel” group may run it.

That’s all there is to it. Many su implementations, however, added internal support for the wheel group, perhaps with logs kept and a more informative refusal message explaining why su would not run (for those not in the wheel group).

Perhaps one reason that the wheel group is not widely used may have something to do with the GNU project. The GNU implementation of su has this in its info page:

Is it any wonder that GNU/Linux systems don’t enable the wheel group by default? FreeBSD, however, does use the wheel group by default – as does OpenBSD and NetBSD.

Share this:

Like this:

Related

36 thoughts on “The wheel Group”

I have noticed that the or a “wheel” group has been reading and writing data off my computer. I have also noticed that other things have gone on with my computer as well such as two proxies set up of which were not authorized. There has also been information from this computer used to write stories and music from information gathered. Which does not give me as the author free reign to write/ compose or sketch on my computer without someone else using the information. Now, I know this sounds impossible I have been told this is impossible but it isn’t. So much for the security programs offered for computers that people spend vast amts of money on.
So, you SEE, this by now has probably already been read and written as I type this for all I know….perhaps I need to bring up the activity monitor and check that out.
Have a lovely day.
I

As you noticed, it is not impossible for your computer to be compromised (as we call it). If someone is determined enough, any computer can be taken over by someone else.

The best you can do is to keep your system updated and run checks for viruses, etc. on a regular basis. If you are an end user who wants a system that requires no updating or patching, you won’t find one.

If you are a user that wants a system that is easy to manage, and that has a good record of updates and of security, I would recommend any one of the following: Red Hat Workstation, PC-BSD, OpenBSD, MacOS X… Most systems require additional configuration to be the most secure; OpenBSD does not – and perhaps, neither does MacOS X.

That is why people spend money on computer security experts – and “tiger teams” to break in – and on Chief Security Officers of companies… instead of just on programs.

Another one of his alarmingly failed “power to the people” lapses. I’ve grown accustomed to them.

Yeah, this doesn’t take web infrastructure into account, where the ‘users’ are visitors to a site. Bad planning for the wrong reasons on the part of stallman.

Fascinating historical note.

The wheel group is just common sense. You don’t want non-privileged local users to be able to just start guessing at the root password. And, if all your network daemons are running as a non-root user (as they should be), then the wheel group makes another hurdle to block a hacker who may get local access through a flawed network server. … “wheel” is just one more important layer of the security onion. 🙂

Sometimes, when we talk about Wheel group, we`re talking about the famous “circle of thrust”, that makes sense to me, it’s common sense that you at first sight will see, which users does/ or doesn’t have security capabilities.

thanks! after reading this, I have decided I do not want a ‘wheel’ group.

you need to uncomment the line

# Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL

In order to allow the wheel users to execute the commands

You should in most cases not do that at all. It would allow every member of the wheel group to execute commands as root without ever being asked for a password. Good you failed to mention where this line was supposed to go.

Can Anybody help on this problem?
Problem statement.
In this part of the assignment, delegates will create a pseudo-device and write a device driver for it. The pseudo-device provides a “backdoor” for gaining root access for a particular user. Instead of compiling the device driver into the kernel, delegate will create a module. Modules are object binaries that can be dynamically loaded into the kernel. They are similar to a DLL in MS Windows. Below is the description of the device the delegates are creating and the functionality your device driver is required to implement.
This pseudo-device gives root privileges to the task whose pid is written to the device. When the module is installed, the uid of the user who are allowed to use this device can be passed as module parameters. Any other user, including root, that tries to use this device will get an “access denied” error. When the correct user accesses the device for executing operations, the device driver finds the task associated with the pid and grants that task root privileges.
Work expected:
1. Identify proper device id, registration functions, and driver methods for the above given problem statement
2. Design the proper data structures required and the identified functions/methods to be implemented. Note: Issues of race conditions and synchronization should be taken care if required.
3. Develop the kernel module code for the designed functions with proper entry points to the driver
4. Write Makefile for compilation of the developed kernel module. Construct your Makefile so that developed kernel module will compile with “make” command
5. Accommodate the platform interface for the access to the developed module
6. Add the compiled kernel module into the running kernel
7. A program that uses the developed module to exec() a bash shell with root privileges. Modify the Makefile so that above program will compile when “make test” is run
8. Test the developed module for its functionality and discuss the obtained results

This is a homework assignment, and has nothing to do with the wheel group specifically. This comment is out of place here. You could ask your professor or teaching assistant if you need to.

Источник

Why is Debian not creating the ‘wheel’ group by default?

It appears to be Unix tradition that a wheel group is created automatically, but Debian (and children, naturally) doesn’t do so. Is there a rationale somewhere? Where else have you seen this tradition discarded?

2 Answers 2

Some unix systems allow only members of the wheel group to use su . Others allow anyone to use su if they know the password of the target user. There are even systems where being in the wheel group grants passwordless root access; Ubuntu does this, except that the group is called sudo (and doesn’t have id 0).

I think wheel is mostly a BSD thing. Linux is a mix of BSD and System V, and the various distributions have different default policies with respect to granting root access. Debian happens not to implement a wheel group by default; if you want to enable it, uncomment the auth required pam_wheel.so line in /etc/pam.d/su .

Because wheel is a tool of oppression! From info su :

Why GNU ‘su’ does not support the ‘wheel’ group

(This section is by Richard Stallman.)

Sometimes a few of the users try to hold total power over all the rest. For example, in 1984, a few users at the MIT AI lab decided to seize power by changing the operator password on the Twenex system and keeping it secret from everyone else. (I was able to thwart this coup and give power back to the users by patching the kernel, but I wouldn’t know how to do that in Unix.)

However, occasionally the rulers do tell someone. Under the usual `su’ mechanism, once someone learns the root password who sympathizes with the ordinary users, he or she can tell the rest. The «wheel group» feature would make this impossible, and thus cement the power of the rulers.

I’m on the side of the masses, not that of the rulers. If you are used to supporting the bosses and sysadmins in whatever they do, you might find this idea strange at first.

See also the Debian Reference. Anyways, the sudo group is built in so who needs wheel ?

Источник

Where did the «wheel» group get its name?

The wheel group on *nix computers typically refers to the group with some sort of root-like access. I’ve heard that on some *nixes it’s the group of users with the right to run su , but on Linux that seems to be anyone (although you need the root password, naturally). On Linux distributions I’ve used it seems to be the group that by default has the right to use sudo ; there’s an entry in sudoers for them:

But that’s all tangential; my actual question is: Why is this group called wheel ? I’ve heard miscellaneous explanations for it before, but don’t know if any of them are correct. Does anyone know the actual history of the term?

7 Answers 7

The Jargon File has an answer which seems to agree with JanC.

wheel: n. [from slang ‘big wheel’ for a powerful person] A person who has an active wheel bit. The traditional name of security group zero in BSD (to which the major system-internal users like root belong) is ‘wheel’.

A wheel bit is also helpfully defined:

A privilege bit that allows the possessor to perform some restricted operation on a timesharing system, such as read or write any file on the system regardless of protections, change or look at any address in the running monitor, crash or reload the system, and kill or create jobs and user accounts. The term was invented on the TENEX operating system, and carried over to TOPS-20, XEROX-IFS, and others. The state of being in a privileged logon is sometimes called wheel mode. This term entered the Unix culture from TWENEX in the mid-1980s and has been gaining popularity there (esp. at university sites).

Источник

What is Wheel Group in UNIX and Unix-Like OS?

Wheel Group originated in the TENEX OS, distributed, widely used in 1960s. Wheel Group has wheel account, has additional system privileges. UNIX Operating System and Unix-Like Operating Systems including (not all) GNU Linux, there are some differences. It must be noted that; GNU su’ does not support the wheel’ group. This is official text :

Basics on Wheel Group in UNIX and Unix-Like OS

GNU Linux systems do not enable the Wheel Group by default. FreeBSD, OpenBSD, NetBSD, Apple OS X and all UNIX OS; however has Wheel Group by default. In some Linux distributions like Gentoo Linux alternative implementations maintain these requirements.

Because of the migration of system developers TENEX/TOPS-20 Unix , the term was adopted by the Unix community. In several of these systems the command “su”can be used to gain the root access. Anticipating misuse, some system administrators only allow access the command by certain groups, often identified as wheel, indicating a higher level of confidence. In a GNU Linux is not necessary that a user is in the wheel group to use the su command, this is mainly for philosophical reasons.

More Information on Wheel Group and Practical Part

Modern Unix implementations generally include a security protocol that requires a user be a member of the wheel user privileges group in order to gain superuser access to a machine by using the su command. When a server had to be maintained at a higher level than the day-to-day system administration, root rights were often required. The Wheel Group was used to create a pool of user accounts that were allowed to get that level of access to the server.

To check yourself on OS X 10.9, open the group file in nano text editor :

Источник

Запрет повышения прав пользователям через su

Во многих руководствах по linux (и не только по linux) в вопросах безопасности регулярно появляются рекомендации выполнять все неадминистративные действия под пользователем, не имеющим прав администратора / суперпользователя. Проще говоря, все рекомендуют не работать постоянно под пользователем root и прибегать к работе под root только в необходимых случаях.
На самом деле, во многих ситуациях возникает необходимость запускать процессы под пользователем, который не только не имеет прав root, но и не может повысить свои права до root. Никак, никаким образом. Такая необходимость возникает (создавать таких пользователей имеет смысл) для сервисов, выполняющихся на сервере. Например, Apache, Asterisk, и так далее. То есть чтобы тот, кто может получить права такого пользователя, не только не получил бы прав root, но даже (вдруг) узнав пароль root, не смог бы зайти под этим паролем (повысить свои привилегии).

В более старых версиях linux по умолчанию был выставлен следующий режим: пользователи, относящиеся к группе wheel, могут запускать команду su, а все остальные — нет. То есть запускать su могут все, но для пользователей не из группы wheel команда su даже с правильным паролем root будет выдавать ошибку.
В современных версиях linux, к примеру, CentOS и Debian, по умолчанию такая возможность отключена, т.е. все пользователи могут повысить свои права (зная пароль root). В данной статье мы покажем как вернуть режим, который был раньше — чтобы только пользователи из группы wheel могли «поднимать» свои привилегии.

С чего начать

В первую очередь, надо обезопасить себя. То есть обязательно внесите того пользователя, под которым Вы работаете, в группу wheel. Ну а если в системе работает несколько пользователей, под которыми необходимо время от времени повышать привилегии до root, то каждый из этих пользователей должен быть внесен в группу wheel!
Обратите внимание, это важно сделать до того, как Вы измените настройки linux, иначе (если к примеру, Вы подключаетесь к серверу по SSH, по SSH доступ под рутом закрыт) зайдя под обычным пользователем по SSH, Вы не сможете повышать свои привилегии до рута!

Создать группу wheel

Возможно, что в Вашей версии linux по умолчанию нет группы wheel. Тогда ее необходимо создать. Для этого существует следующая команда:
addgroup wheel
Не бойтесь вводить эту команду: если группа wheel существует, будет выдано сообщение, что такая группа уже есть. Если же такой группы нет, она будет создана

Как внести пользователя в группу wheel

Для этого существует команда:
usermod -a -G wheel имя-пользователя
например:
usermod -a -G wheel username

Эта команда добавляет пользователя username в группу wheel. Если при этом пользователь состоит в одной или нескольких других группах, членство во всех группах сохраняется, просто пользователь добавляется в еще одну (дополнительную) группу.

Теперь проверьте, что все выполнено правильно. Для этого существует команда:
id имя-пользователя
например:
id username

Будет отображен ID пользователя, имя пользователя, а также ID и имя каждой группы, к которой пользователь принадлежит. Убедитесь, что все необходимые пользователи добавлены в группу wheel.

Запуск su только пользователями из группы wheel

Откройте в Вашем текстовом редакторе файл: /etc/pam.d/su
В этом файле найдите строку, подобную следующей:
auth required pam_wheel.so
или
auth required pam_wheel.so use_uid
По умолчанию эта строка начинается со знака «#», это энак комментария. Уберите знак комментария из начала этой строки и сохраните файл.

Всё! Теперь только пользователи из группы wheel могут выполнять команду su и повышать свои привилегии до root. Не забудьте это проверить!

Источник