Mac OS X Server 1.x: About The Group Wheel
Note: This document was installed by Mac OS X Server in /System/Documentation/ReadMe. For a list of other release notes see:
Article 30925: "Mac OS X Server: Release Notes"
Notes on group wheel and special administrative access for non-root users
The program that gives you command-line access to a root shell while you are logged in as a regular user (/usr/bin/su) behaves slightly differently on Mac OS X Server than on other 4BSD systems. The usual BSD behavior is that only users in the group wheel may use su to gain access to a super-user (root) prompt, unless the group wheel does not exist or has no users in it. On Mac OS X Server, the behavior is the same, except that when the wheel group is empty or nonexistent, nobody can su. This was done due to a difference in how we look up a list of users in a group on Mac OS X Server (which is hierarchical, not the usual flat as in /etc/master.passwd).
Users who would need to have special administrator access should be explicitly added to group wheel via Network Manager. Note that adding a user to the wheel group on your parent NetInfo server (if applicable) grants that user such access on all machines inheriting configuration from that server, while adding a user to a local wheel group grants special access only on the local machine.
The local user account that is optionally created with Setup Assistant is automatically added to the wheel group under the assumption that this user is the primary user of the machine and therefore should have such privileges. Note that the user is added to the local wheel group, not a network wheel group, and therefore only has such privileges on the local host.
The special privileges granted to users in group wheel include the ability to use the su program to gain a root prompt and the ability to edit files which are otherwise restricted, such as the web server documents and configuration in /Local/Library/WebServer. There may also be other privileges granted depending on the configuration of the machine. Beware that users with such privileges may be able to compromise a system and obtain root-level access even without the administrator (root) password. One should therefore limit such privileges to trusted users and only on appropriate hosts. The ability to log in as root via loginwindow (if one knows the password) is not affected by which users are in group wheel, nor is the ability of users with the root password to use system management tools such as NetworkManager to gain certain privileges which are only otherwise available to the root user. Restricting wheel users does not prevent this form of obtaining root privileges.
One cannot log into a machine remotely via telnet as root (unless root has no password), and therefore users who wish to obtain root access remotely must first log in as a normal user and then use su to gain root access. By restricting wheel access you can therefore reduce the probability that a compromised account will result in an intruder obtaining privileged access via the network.