- What is the Significance of the “wheel” Group in Ubuntu?
- Significance of the “wheel” Group in Ubuntu
- How to Add a User to the “wheel” group in Ubuntu?
- Optional: Create “wheel” Group
- How to Remove a User from the “wheel” Group?
- Conclusion
- What is the purpose of “wheel” group in Linux
- Which rpm provides the wheel group?
- How to deny members of wheel-group to change root password
- Some more articles you might also be interested in …
- Learn Linux wheel group usage [With Examples]
- Configuring Wheel Group in sudoers File
- Prevent wheel group users from changing root password
- Wheel Group Operations for Users
- Add/Remove Users to the wheel group by editing the group file
- Add/Remove User from Wheel Group with Command
- What you should do NEXT?
- Summary
- References
What is the Significance of the “wheel” Group in Ubuntu?
In Ubuntu, the “wheel” group is a special group that has significant security implications. It restricts access to the root user account and provides limited root privileges to certain trusted users. When a user is added to the “wheel” group, they are granted the ability to use the “su” (switch user) command to switch to the root user account. It allows the user to execute administrative tasks that need root authority, such as installing software, changing system files, and managing system services.
This guide will illustrate the significance of the “wheel” group along with practical implementation in Ubuntu.
Significance of the “wheel” Group in Ubuntu
The “su” command is only available to members of the wheel group. This means that even if a user knows the root password, they cannot switch to the root user account unless they are a member of the wheel group.
- Extra Layer of Security: It provides an extra layer of security for the root user account.
- Restrict Access: It restricts access to the root user account, which reduces the risk of accidental or malicious changes to the system.
- Delegate Certain Administrative Tasks: It also allows system administrators to delegate certain administrative tasks to trusted users without giving them full root access.
- Maintain the Stability of the System: It provides limited root privileges to trusted users.
How to Add a User to the “wheel” group in Ubuntu?
By default, the first user created during installation is added to the “sudo” group. It permits the performance of administrative operations. To add a user to the “wheel” group in Ubuntu, you can follow these steps:
Step 1: Check the “wheel” Group with Existing Users
To check if the “wheel” group is already present on the system, run the “grep” command by specifying the directory such as “/etc/group”:
The output shows that the “wheel” group exists and has one user assigned to it named as “roger“
Optional: Create “wheel” Group
If the “wheel” group does not exist, create it using the “groupadd” command by specifying the “wheel” group as below:
The output shows that the “wheel” group has been created.
Step 2: Add the User to the “wheel” Group
Once the “wheel” group is created, add the user to it by using the “usermod” command with the “aG” option. In our case, specify the username as “peter” to add to the “wheel” group:
$ sudo usermod -aG wheel peter
The output shows that “peter” has been added to the “wheel” group.
Step 3: Verify Added User to the “wheel” Group
To verify the added user “peter” is part of the “wheel” group, run the following command:
The output confirms that the user “peter” is now a member of the “wheel” group.
How to Remove a User from the “wheel” Group?
To remove an existing user from the wheel group, use the “deluser” command by specifying the group and user names. In our case, remove the “peter” from the “wheel” group:
The output shows that “peter” has been removed from the “wheel” group. To explore more methods to delete a user from a group, follow our link.
Conclusion
In Ubuntu, the “wheel” is a user group that provides administrative access to certain users on a system. Members of the “wheel” group can perform tasks, such as installing packages, updating/modifying system settings, and managing groups and users. This article has explained the significance of the “wheel” group along with adding a user to the “wheel” group in Ubuntu.
What is the purpose of “wheel” group in Linux
The root system account is used for a great deal more than just administrative tasks. Many parts of the actual Linux operating system run under root credentials. Many distributions disable the actual root account for users and instead allow administrative functions based on membership in the wheel group.
Members of the wheel group exercise the administrative privileges of root with less potential for damaging the system. For example, members of the wheel group can use the sudo command to avoid having to sign in as the root user. You can use the visudo command to edit the privileges of the wheel group, if necessary. You can add users to the wheel group to give them privileges. Be very cautious about the membership of the wheel group.
Which rpm provides the wheel group?
The wheel group is part of the /etc/group file that is shipped in the setup rpm. Nothing on the system appears to use the group, at least by default, so it should be safe to remove the wheel group entry if desired.
How to deny members of wheel-group to change root password
We can edit /etc/sudoers file and add ‘!/usr/bin/passwd root’ to the wheel part of the line.
1. Edit /etc/sudoers in visudo.
Note: visudo edits the sudoers file in a safe fashion, analogous to vipw(8). visudo locks the sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks for parse errors. If the sudoers file is currently being edited you will receive a message to try again later.
%wheel ALL=(ALL) ALL, !/usr/bin/passwd root
3. SSH with user ( which is added to wheel group) and try to reset the root password, you will get error as below:
$ sudo passwd root Sorry, user geek is not allowed to execute '/bin/passwd root' as root on lab.system01
Some more articles you might also be interested in …
Learn Linux wheel group usage [With Examples]
Operating systems have a user with full privileges. However, since this user cannot be shared with the people logged into that system, they temporarily share some of their privileges with other users.
On Linux systems, the root user is the most authorized user. There is the sudo/wheel group for other users to use some of the privileges.
This group, which is called sudo in Debian based systems, is called wheel in Redhat and Arch base systems.
Users are taken to this group and authorized.
Confirm that you have the root user password before intervening in the wheel group. You may lose your authorization after an incorrect operation. We recommend that you perform these authorization processes with the root user.
Configuring Wheel Group in sudoers File
In the sudoers file, the wheel group is disabled in many Linux distributions. Even if the user is in this group, the following warning appears when he wants to perform an authorized transaction:
foc@fedora:~$ sudo cat /etc/sudoers | grep wheel [sudo] password for foc: foc is not in the sudoers file. This incident will be reported.
## Allows people in group wheel to run all commands # %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL
This issue is resolved by removing the # sign at the beginning of the %wheel lines. Users who are in the wheel group in the first wheel line can run all commands with their own passwords. In the second wheel line, users do not need to enter a password:
#%wheel ALL=(ALL) NOPASSWD: ALL
Opening this line is not recommended for security reasons.
It can open the sudoers file with an editor(vi,nano etc):
[root@fedora faruk]# nano /etc/sudoers
or you can use visudo command:
Open the first line in the sudoers file and try the same action again:
foc@fedora:~$ sudo cat /etc/sudoers | grep wheel ## Allows people in group wheel to run all commands %wheel ALL=(ALL) ALL # %wheel ALL=(ALL) NOPASSWD: ALL
Prevent wheel group users from changing root password
Wheel group users get root privileges temporarily. This authorization includes changing the root password. To prevent this, the sudoers file should be written like this:
%wheel ALL=(ALL) ALL, !/usr/bin/passwd root
After this operation, the user cannot change the root password even if user is in the wheel group:
faruk@fedora:~$ sudo passwd root Sorry, user faruk is not allowed to execute '/usr/bin/passwd root' as root on fedora.
Wheel Group Operations for Users
There are 2 methods to add/remove users to the wheel group. One is to use a command for this job, and the other is to manually edit the /etc/group file.
Add/Remove Users to the wheel group by editing the group file
Edit the /etc/groups file with a text editor (vim, nano etc) in the terminal:
Type users in the wheel group line, one after the other, with a comma(«,») between them.
Then, type sudo at the beginning of the commands you will type in the terminal to perform authorized action with the user. After the user enters his password, the action will take place:
[user1@fedora ]$ sudo cat /etc/sudoers [sudo] password for user1: ## Sudoers allows particular users to run various commands as ## the root user, without needing the root password. .
To remove the user from the group, it is sufficient to delete the user from the wheel group line again. This step will prevent that user from taking authorized actions.
Add/Remove User from Wheel Group with Command
You have many alternatives for adding/removing users to the wheel group in Linux. When creating the user, you can create it by adding it to the wheel group with the adduser command:
[root@fedora faruk]# adduser user2 -G wheel
The added user is in the wheel group:
[root@fedora faruk]# cat /etc/group | grep wheel wheel:x:10:foc,faruk,user1,user2
[root@fedora faruk]# groups user2 user2 : user2 wheel
If the user is already added and you just want to put them in the wheel group, use the usermod command:
[root@fedora faruk]# usermod -aG wheel omer
The user is also included in the wheel group like this:
[root@fedora faruk]# cat /etc/group | grep wheel wheel:x:10:foc,faruk,user1,user2,omer
To remove the user from the wheel group, use the gpasswd command:
[root@fedora faruk]# gpasswd -d user1 wheel Removing user user1 from group wheel
This way user user1 is removed from wheel group:
[root@fedora faruk]# cat /etc/group | grep wheel wheel:x:10:foc,faruk,user2,omer
What you should do NEXT?
Summary
As we mentioned above, wheel group users are the most authorized users after root user. Care should be taken when adding/removing a user from this group.
Before adding/removing the wheel group, it should be ensured that the root password is known or you should switch to root user by logging in with an authorized user in a different terminal. Otherwise, you may lose all your privileges in that system.
In our article, we gave information about wheel, which is the super user authorization group in Linux.
References
Didn’t find what you were looking for? Perform a quick search across GoLinuxCloud
If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.
For any other feedbacks or questions you can either use the comments section or contact me form.
Thank You for your support!!