Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.5: Join 'wheel' group as possible fix for system issues System 10.5
As many would be aware, and many may be suffering from, 10.5 and in particular 10.5.2, has been causing many people headaches with permissions and ownership of files and folders, particularly temporary folders. This has been causing odd problems ranging from failed software installs, script errors, Preview silently failing to open images, and a biggie for me, the GUI version (but not the command line version) of Software Update failing with a -3001 error, referencing a network failure.

In various forums around the usual places, many working band-aids involving a chown here, a chmod there, or up to and including an Eerase-and-reinstall have been used to alleviate the suffering.

After much frustration and poking around, I finally noticed that my login was no longer part of group wheel. I understand from various forum posts that under 10.5 this was not required of an admin user. However, after I added myself back to group wheel, all my symptoms have vanished, without having to do a re-install at this time. It would seem the update installs don't have a clear migration path for these permissions yet.

Given that NetInfo is now gone, and editing Unix config files is just plain anathema, the easiest way to do this sort of operation is to download Apple's Server Admin Tools package, as described in this hint. This may be an incomplete panacea, and a more complete understanding of both current and future plans for the permissions structure are necessary, but it sure did save me from a lot of work.

[robg adds: I haven't had any permissions-related issues since installing 10.5, and that includes one machine (my MacBook Pro) where I did my first-ever upgrade install (I typically do clean installs only). If you have had issues, though, it'd be interesting to know if this hint helped you out at all. Alternatively, if you know of a different cause and solution, and this hint isn't applicable at all, please post that as well!]
    •    
  • Currently 2.50 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (2 votes cast)
 
[27,780 views]  

10.5: Join 'wheel' group as possible fix for system issues | 26 comments | Create New Account
Click here to return to the '10.5: Join 'wheel' group as possible fix for system issues' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.5: Join 'wheel' group as possible fix for system issues
Authored by: kyngchaos on Apr 07, '08 08:28:34AM

I've never been a member of group 'wheel', and I've never had permissions problems in any version of Leopard. Only 'root' should be in the 'wheel' group.

'admin' is the group you need to be in for administrator privileges.



[ Reply to This | # ]
10.5: Join 'wheel' group as possible fix for system issues
Authored by: kyngchaos on Apr 07, '08 08:34:02AM

Forgot to say, just to be clear: this goes for any OSX version as far as I can remember - only root in wheel, admin group for admin privs.



[ Reply to This | # ]
10.5: Join 'wheel' group as possible fix for system issues
Authored by: chiggsy on Apr 10, '08 06:05:00AM

Wheel group:

some implementations of sudo and su require the login to be in the 'wheel' group, or in other words, only users in that group can su to root.

Now, this is simply a fact of unices, not some horrid thing to be kept secret. For example:

I work in gnu screen always. One of my screens is started with

sudo su -m

in order to keep my current environment but still be root for quick macports installs, easy_install, CPAN , whatever...

All the squealing about this hint is curious to me ( although as a fix, seems a poor idea.. you should not need to have that group access in os X for anything, with netinfo, no? )



[ Reply to This | # ]
10.5: Join 'wheel' group as possible fix for system issues
Authored by: irfanr on Apr 07, '08 09:49:32AM

This should not be considered a solution for any problem or qualifies as one.



[ Reply to This | # ]
10.5: Join 'wheel' group as possible fix for system issues
Authored by: Josh43 on Apr 07, '08 10:11:40AM

I would think that this would apply more if you were tinkering with "non-OSX" unix stuff - like Fink, etc.

It's very likely that at least a few of the applications not designed for OSX are still using the wheel security group since it's a valid way of doing things, just not the OSX way.



[ Reply to This | # ]
No, no, no, NO!
Authored by: ClassicUser on Apr 07, '08 11:46:13AM

As stated by others: root should be the only member of the "staff" group. If there are other problems apparent on the drive, the first step would be to Repair Permissions, not to try and guess your way out of the problem.

If "editing Unix config files is just plain anathema", then users should not be directed to go mucking around with other alternatives which essentially do the same thing (modify Unix-level configuration details).

This "hint" is a terrible idea, and should be pulled DOWN as a non-solution at best, and more significantly, possibly leading to a potential security hole.

robg: Can we delete this hint? Please?



[ Reply to This | # ]
re: No, no, no, NO! (alternate packages)
Authored by: ClassicUser on Apr 07, '08 12:00:12PM
I should have mentioned… As Josh43 stated:
It's very likely that at least a few of the applications not designed for OSX are still using the wheel security group since it's a valid way of doing things, just not the OSX way.
In this case, the developer of that package should be contacted, and educated on how best to set ownership (and possibly permissions) on the files they are distributing for use with Darwin. I don't think it's a good idea to just accept that there may be packages which attempt to overwrite /System with 501:501, 777. Fix the problem at the source; don't just try to work around the issue via convoluted (and possibly problematic) hacks.

[ Reply to This | # ]
10.5: Join 'wheel' group as possible fix for system issues
Authored by: yeno on Apr 07, '08 11:48:42AM

I experienced the Preview problem with 10.3.9 -- on a multi-user machine there were Preview files in a locked folder and unless this folder was unlocked, Preview files would not open -- and displayed no error. When the folder was unlocked, all at once all the requested Preview files would open. Haven's experienced this so far since upgrading to Leopard.



[ Reply to This | # ]
10.5: Join 'wheel' group as possible fix for system issues
Authored by: Hal Itosis on Apr 07, '08 12:09:56PM

I agree, this hint is lame... on several levels.

Besides the problems mentioned above... and,
even assuming it wasn't a bad idea (which it is),
the author didn't bother to describe **HOW**
to add oneself to the wheel group. Some hint!

-HI-




[ Reply to This | # ]
10.5: Join 'wheel' group as possible fix for system issues
Authored by: vaalrus on Apr 08, '08 01:35:28AM

Actually, I did. See the link that points to a detailed hint on where to get the modern GUI tools to replace netinfo.app



[ Reply to This | # ]
10.5: Join 'wheel' group as possible fix for system issues
Authored by: cha424 on Apr 07, '08 12:36:18PM

How do you yourself to the WHEEL group?



[ Reply to This | # ]
10.5: Join 'wheel' group as possible fix for system issues
Authored by: macosx4me on Apr 07, '08 01:20:33PM

Please pull this down !

It is a mistake and arrogant to presume to know better than Apple on this one.
To *break* your system or at least reduce it's security in order to attempt to reconcile problems due to poor 3rd-party software, is totally misguided.

In a default, clean install of 10.5, the initial admin account is *not* a member of the "wheel" group. As noted, only root is.



[ Reply to This | # ]
10.5: Join 'wheel' group as possible fix for system issues
Authored by: vaalrus on Apr 08, '08 01:31:47AM

My system was already broken, and NOT by third party hacks... This was a legacy install issue. My "arrogance" was to try and piece together what went wrong. All the symptoms I was having were discussed heavily in the Apple forums and signs pointed to the various combination of ACLs, sticky-bits, umasks, use of chmod, chown, group assignments, and more. The bulk of the problems came down to a lack of appropriate access to temporary directories. The only problem that hadn't found detailed resolution was the failure of the GUI Software Update, with the -3001 network error, and a silent printing error that I hadn't seen discussed. At some point, I'm guessing 10.5.2, or an adjacent security update, I was removed from group wheel, which my admin account had been part of since it's initial install under 10.2 (my PB G4 shipped with 10.2 installed, and 10.3 update disks.). After I put myself back, I could again indulge in luxuries like running Software Update, or Printing. From there it was a pretty straightforward step to recognize the failure chain. I was functional, and I also knew I was in an unstable, undesirable state.

I made no attempt to declare this a sweeping panacea, or that I knew better than Apple. I included caveats, and noted the incompleteness of the solution and that it was both a "possible", not a definite or Definitive fix. See a later comment for updates on a more complete, more "Apple" solution.



[ Reply to This | # ]
10.5: Join 'wheel' group as possible fix for system issues
Authored by: Zeitkind on Apr 07, '08 05:18:44PM

Though I don't really get the hint or the reason to get memeber of the wheel group, most system files and dirs are 644, 744 or 700 or simular, so getting into wheel won't really change a lot regarding basic file-realted security. The "hint" is kinda strange and I don't think it will help a lot with problem, but has the power to create problems. If an installer really makes troubles and you know what you do, a sudo is the only way to go - if at all.



[ Reply to This | # ]
10.5: Join 'wheel' group as possible fix for system issues
Authored by: mantronix on Apr 07, '08 05:26:41PM

This is not a good solution. Problems in general, including permissions problems -- if they really are in fact permissions problems -- are caused by users running as admin and installing every "Mississippi GoFaster" app they come across. The problem is that various InputManagers, kernel extensions, miscellaneous hacks, and unnecessary commercial software, etc., gets installed by users who have no idea what files they are about to put in their Macs. They're all disguised as Stuff You Really Need On Your Mac, but the vast majority of this software is junk, and you pay the price with decreased system reliability.

You should have your user account as a Standard account. You should have a separate account that is an Administrator account. Don't use your Mac as an administrator all the time. When you need to do a system upgrade, log out, then log in as your Administrator account.

Stay away from all the Safts, PithHelmets, kexts, etc.




[ Reply to This | # ]
10.5: Join 'wheel' group as possible fix for system issues
Authored by: vaalrus on Apr 08, '08 12:51:45AM

Oh my! The wailing and the rending of the garments...

I'll amend my own hint, after not being satisfied with the long term outlook, but having made this hint here and in other places for folks having permissions problems ranging from annoying to crippling...

There is indeed a better way to accomplish the goals for with this hint was intended, but first:

I'm not sure WHEN the policy changed, but indeed up until recently, possibly as late as 10.3, admin users WERE REQUIRED to be part of group wheel. This is going right back to the Public Beta and Puma and Jaguar, since my current install dates back to Panther, with successful update-in-place installs right up until 10.5.2 and/or related security update. (and would be back to Jaguar, barring a catastophic powerboard failure on my laptop (RIP G3 Wallstreet) and an undetermined HD failure on a Cube) Apple's installers DID NOT remove me from group wheel untill then.

Now, as I said, I wasn't completely satisfied... I'm sure Apple had reason for the wheel policy change, and future updates could break things again. I want to be compliant, but I did not want to to an erase-install.

These hints
http://www.macosxhints.com/article.php?story=20010827120222505
and
http://www.macosxhints.com/article.php?story=2007110800450816

detail the glory of the Setup Assistant which WILL properly bring your wayward account and permissions back into the fold.

As I am obviously a careless jerk, I simply deleted the flag that tells Setup not to run, and let it create a parallel new admin account. I took my main account out of group wheel, made sure that I was only in the same groups as the setup assistant created for the new account, and voila. All is good, and I don't have to dig out install disks from 2004.

We now return you to your regularly scheduled crucifixion, already in progress.



[ Reply to This | # ]
10.5: Join 'wheel' group as possible fix for system issues
Authored by: mbroughtn on Apr 08, '08 08:15:50AM
I'm not sure WHEN the policy changed, but indeed up until recently, possibly as late as 10.3, admin users WERE REQUIRED to be part of group wheel. This is going right back to the Public Beta and Puma and Jaguar,

I can't speak to the public beta or 10.1.x, but the clean installs of Jaguar and Panther I keep for testing both show the only member of the group wheel to be root. The admin accounts DO NOT belong to group wheel.



[ Reply to This | # ]
10.5: Join 'wheel' group as possible fix for system issues
Authored by: Zeitkind on Apr 08, '08 12:10:48PM

Well.. just look into my old G3/G4-system, updated from 10.1 to 10.5 over the years, and the main admin account is member of wheel. Other, later created admins are not member of wheel. Not sure if I - for ever what reason - put myself into wheel long ago or if it is vanilla setup.



[ Reply to This | # ]
10.5: Join 'wheel' group as possible fix for system issues
Authored by: tom larkin on Apr 08, '08 06:39:27AM

I have only seen this be a problem when installers do not apply the proper ownerships into items that they are in the /Library and /System. I have even installed them as a root user and it still puts it in the admin:admin user:group, and they needed to be root:wheel.

However, I have not seen this as a general issue, but more of a specific one to specific installers that the developer did not quite understand Unix, or Apple's Unix is maybe the better way to say it.



[ Reply to This | # ]
10.5: Join 'wheel' group as possible fix for system issues
Authored by: robtain on Apr 08, '08 07:29:41AM

I've had some issues with Web Sharing on a G5 that I upgraded to Leopard from Tiger. I did some digging around here for tips about permissions and tried a couple of hints without success.

Then I remembered a tip about using the Password Reset app included on the Leopard Install DVD. Not only can you reset the password, but you can also restore ACL (access control lists) for any user.

I did this and all my problems vanished.

Rob



[ Reply to This | # ]
10.5: Join 'wheel' group as possible fix for system issues
Authored by: V.K. on Apr 08, '08 09:36:47AM

I completely fail to understand the fury at this hint. While it's not likely to resolve too many issues, I see no harm in it at all. I've done it on my computer because after I did full system restore group ownership to several
directories like / changed from admin to wheel. Also, anyone who's ever done password reset using the leopard install DVD will know that that procedure changes user's primary group from staff to wheel.
Obviously Apple sees nothing wrong with that so what's with all the screaming and histrionics?

To add yourself to wheel run the following command in terminal

sudo dscl . -append /groups/wheel GroupMembership yourusername



[ Reply to This | # ]
10.5: Join 'wheel' group as possible fix for system issues
Authored by: V.K. on Apr 08, '08 09:47:56AM

make that full system restore from Time Machine.



[ Reply to This | # ]
10.5: Join 'wheel' group as possible fix for system issues
Authored by: PizzaCake on Apr 09, '08 07:30:53AM

I had many permission based problems after upgrading from Tiger to Leopard. The symptoms included spotlight not finding some files and finder asking for admin password to delete files in my home folder. I remember even though the GUI tools (e.g. Sys prefs>users>advanced) stated I was in the staff group when I ran unix commands to check this, I wasn't. I tried many things including the password reset utility to no avail. Only by using unix commands in Terminal was I was able to remedy this by adding myself to staff group and changing group ownership of files in my home folder. Now everything works as expected. How permissions are handled in Leopard changed from Tiger and I believe this was the cause of my systems problems.



[ Reply to This | # ]
10.5: Join 'wheel' group as possible fix for system issues
Authored by: delight1 on Jul 03, '08 02:39:59PM

from personal experience, i can say this is not a good ideal, at least for you main account.

with group wheel, in system prefs -> sharing -> file sharing, i was able to add the root of my harddrive to be shared, and then able to give all users _NO_ permission to read it.

after that i couldn't boot... it took me 20 minutes to remember that even thought i had firmware's security-mode set to command (and open firmware is gone on intel) that i could 'option' boot.... at which point i was finally able to repair disk permissions with my install disc...

it hurt



[ Reply to This | # ]
10.5: Join 'wheel' group as possible fix for system issues
Authored by: zo219 on Jul 04, '08 03:30:02PM
Someone asked, But how do I join Wheel ...

I'm not recommending it - but on the other hand, When did this get introduced to Accounts, and more importantly, why:

If you unlock the Accounts pane and right click on Groups, the drop-down is astounding.

Anybody can join anything.

I'd love a precis of what's up with that, and not have to learn all about Unix permissions ... but there it is. Open to the public.

Seems to me the whole system is now "unsafe."

Feedback, please, from Sys Admins and those who know?

[ Reply to This | # ]
10.5: Join 'wheel' group as possible fix for system issues
Authored by: DrMacMusic on Jul 08, '08 12:52:45PM

Well, all I can say is this hint solved a nagging problem I was having. The game "BookWorm" by PopCap software seemed to work fine, but then after several uses, when I try to run it, I get an error stating:

..."Bookworm needs to run from an account that has administrator access"

My account does have administrator privileges. Deleting the preference file would allow me to run the program, but I would I have to re-register it, and I lose all of my user data. I tried many different things, including repairing permissions but nothing helped until I added my self to the group wheel.

Finally, a couple of comments. The above hint does, in fact, tell you how to add yourself to the group wheel. There is a link to another hint. So I do not understand why so many commenters slam the hint for that reason.

With regard to slamming hints in general, what is the purpose of that? There are many people who look at this site for helpful information. A fraction of these take the time to become members, and a fraction of the members take the time to post, reply, comment, or otherwise share information. No good comes from attacking people who are trying to be helpful. Comment, yes. Disagree, sure. But at least be civil about it.

And remember, if you slam me for my comments, you are simply proving me correct!



[ Reply to This | # ]