What is the "wheel" user in OS X?

117

I recently reinstalled iTunes and I noticed something peculiar. The "original" version of iTunes has a user in the permissions known as "wheel" that is set to "Read Only". I dragged this version of iTunes to the trash and installed a new copy, and when I look at the properties for iTunes it no longer says wheel, but rather just admin.

Here is a screenshot with the new version (left) and the old version (right):

enter image description here

What is the "wheel" user"? How is it set (I can't seem to set it in the GUI)? Why would the permissions be different now? It's not a problem, I'm just terribly curious.

ralphthemagician

Posted 2010-09-23T14:58:38.163

Reputation: 1 369

8I know this is old, but "wheel" is a group, not a user. – Rich Homolka – 2012-11-15T15:35:45.707

Answers

112

Some color:

Mac OS X has roots in BSD UNIX, a.k.a. the UNIX that came out of UC Berkeley. They had a group of trusted people that could become superuser by using the su command. So they coded their UNIX to only allow people in this specific group to become superuser using su. They chose the groupname 'wheel', supposedly reference to other systems that had WHEEL, possibly a reference to being a 'big wheel'

It's less important now that you have the GUI authorization popups and sudo. You can use sudo without being in wheel group I believe.

As far as how to change to wheel, chgrp should be your friend, once you're root.

Rich Homolka

Posted 2010-09-23T14:58:38.163

Reputation: 27 121

chgrp operates on ownership files, newgrp changes the user to the group. newgrp enables (read/write/execute) use of multiple group memberships, one at the time. – bbaassssiiee – 2014-10-23T03:51:19.230

1I just tried to sudo from a non-admin account and that did not work. However... you can su <admin-username> and once you've done that you can sudo as you want. – JL Peyret – 2016-03-17T06:42:31.227

7+1 Good answer. I'd add the note that wheel is group ID 0, just like root is user ID 0. You're right that, you don't have to be wheel to sudo. Mac OS X uses the group "admin" (group ID 80) as the default sudoers group. When you check the box to make an account an admin account, it gets added to the admin group. – Spiff – 2010-09-23T17:42:30.647

If it doesn't work you might want to try sudo -u <admin-user> <command>. But for my experience the password to use is the one for the logged user rather than the password of the specified (or default) admin-user (supposedly root ?) – Kamafeather – 2019-08-28T10:07:40.680

wheel is the system administrator group in BSD, much like root is the system administrator user.

It is common to add sudo permissions to users in the wheel group.

Broam

Posted 2010-09-23T14:58:38.163

Reputation: 3 831

1Thanks Broam. Any idea how you would set a file to be part of the wheel group? – ralphthemagician – 2010-09-23T15:06:21.030

4chgrp wheel file – Broam – 2010-09-23T19:11:14.113

wheel is the group used by OSX for the 'system' /Applications. It was present since at least 1989-03-13 in the source of BSD Unix.

Whether the connotation is 'big wheel' or 'wheel of fortune' is unclear from my sources, but membership of wheel is special.

In OS X PAM is used to set the policy that su(1) will use. In particular, by default only users in the admin or wheel groups can switch to UID 0 (root). This group requirement may be changed by modifying the pam_group section of /etc/pam.d/su. See pam_group(8) for details on how to modify this setting.

bbaassssiiee

Posted 2010-09-23T14:58:38.163

Reputation: 1 225

The "wheel" connotation refers to "being at the steering wheel", or in control of the bridge of a ship.

I'll try to find my source for this but I'm 100% sure.

cocoonkid

Posted 2010-09-23T14:58:38.163

Reputation: 21

1This sounds much more likely than the accepted answer (i.e., a "big wheel"). Users of the wheel group aren't actually root but they can "take the wheel" for commands that need privileged access. – Erik Nomitch – 2019-06-14T16:07:38.577