User rights
Default user
PLCnext Controls are supplied with a preset admin user and a default password that is printed on the controller's housing. This enables access to the most important functions.
admin user
When a PLCnext user logs into the SSH console with the admin user, the user is also recognized with the same name and password by the Linux system. The user is therefore assigned to the plcnext Linux group. Files that this user may read, write to and/or execute are assigned to the plcnext group file system.
plcnext_firmware user
The plcnext_firmware user is another major user in the Linux system. It is permanently integrated and is used for starting the PLCnext firmware processes. In the Linux system, the user has the rights to execute all the operations required.
In addition to the Linux user rights, the PLCnext Technology firmware also has its own user management. Its configuration is described in User Authentication.
Override with sudo
Executing Linux commands that require higher rights is made possible for the users via sudo. Which Linux commands the PLCnext users are allowed to execute via sudo is being configured in the Linux system.
Default rights settings
The following rights are available:
| Rights | plcnext group |
admin | sudo required |
Setting and inspecting IP settings (including ifconfig, ping, netstat, etc.) |
✓ | ✓ | ✓ (for ifconfig) |
| Configuring the firewall | ✓ | ✓ | – |
Starting/stopping the firewall (init script) |
✓ | ✓ | ✓ |
Inspecting the firewall with nft |
✓ | ✓ | ✓ |
| Configuring VPN (IPsec and OpenVPN™) | – | ✓ | – |
| Starting/stopping VPN services (IPsec and OpenVPN™) | – | ✓ | ✓ |
| Editing the Default PLCnext folder for individual ACF, ESM, GDS configurations, and *.so | ✓ | ✓ | – |
Starting/stopping the PLCnext Technology firmware processessudo /etc/init.d/plcnext start|stop|restart
|
– | ✓ | ✓ |
| Reading PLCnext log files | ✓ | ✓ | – |
| Calling and configuring TOP/HTOP | ✓ | ✓ | – |
Firmware update via update script with sudo update-plcnext– |
– | ✓ | ✓ |
| Configuring the NTP server | ✓ | ✓ | – |
Setting the root password with passwd |
– | ✓ | ✓ |
Requesting the system time with date |
✓ | ✓ | – |
Setting the system time with sudo date -s |
✓ | ✓ | ✓ |
Restarting/shutting down the controller with reboot or shutdown |
– | ✓ | ✓ |
| Write access to /opt/plcnext and /opt/plcnext/projects | ✓ | ✓ | – |
Recording network traces with tcpdump |
✓ | ✓ | ✓ |
Starting the gdbserver with root rights (see here how to do that) |
– | ✓ | ✓ |
Resetting to factory defaults with sudo recover-plcnext 1(see also Factory reset) |
– | ✓ | ✓ |
Root rights
For some commands you require advanced rights. To this end, the root user password needs to be set while the root user itself already exists under the Linux® system.
Risk of personal injury or damage to equipment
With active root user access, the controller must not be used for live operation.
Before live operation of the controller return to an appropriate user role and remove the root user password.
Security Note: With root user access, you can make unlimited changes on the controller. Root rights are therefore only suitable for qualified application programmers and software engineers with relevant experience.
- Avoid making changes to the PLCnext Technology firmware or Operating System itself. If changes are necessary, see Overlay File System for details.
- Do not supply the device with an already set password for the
rootuser. - Remove the root password as soon as
rootuser access is not required any more.
Setting a root user password
- Connect to the controller via its IP address and log in as
adminuser. The default password for the user printed on the controller's housing. - Enter this command:
sudo passwd root. - Enter the
adminuser's password to authorize this command. - Enter a new password for the
rootuser (minimum 5 characters, preferably consisting of upper-case and lower-case letters plus numbers). - Confirm the new password by entering it again.
Show the screenshotShow the screenshot
Using the root user
- Connect to the controller via its IP address and log in as
adminuser. The default password for theadminuser is printed on the controller's housing. - Switch to the
rootuser with thesu -command and therootuser's password. - Perform the activities that need the
rootuser's rights. - Once you have executed all the activities as the
rootuser, change back to the previous user role (e.g.,admin) using theexitcommand.
Removing the root password
If the root user is no longer required, remove the password. This prevents unauthorized users from modifying the firmware.
- Connect to the controller via its IP address and log in as
adminuser. The default password for the user printed on the controller's housing. - In the shell or command line interface, enter this command:
sudo passwd -d root.
After that, the root user stays present on the controller. Before using it again you have to set a new password.
Recommended: The easiest way to undo changes to the root user is a reset to default setting type 1. This will also remove the root user's password.
SSH login as root user
By default, the SSH login as a root user is prevented for security reasons. Nevertheless, they are some cases where the SSH login as the root user is necessary to perform commands that are reserved for the root user under a secure SSH connection.
To log in as a root user, the root user password must be set.
Security Note: With root user access, you can make unlimited changes on the controller. Root rights are therefore only suitable for qualified application programmers and software engineers with relevant experience.
- Avoid making changes to the PLCnext Technology firmware or Operating System itself. If changes are necessary, see Overlay File System for details.
- Do not supply the device with an already set password for the
rootuser. - Remove the root password as soon as
rootuser access is not required any more.
To enable or disable direct login via SSH for the root user, you have to configure this in the sshd_config file as shown here:
Activating SSH login as root user
- Connect to the controller and log in as the
rootuser. - Open the /etc/ssh/sshd_config file with a suitable editor.
- In the
# Authentication:section, enable thePermitRootLogin yesentry that is commented out by default. - Restart the SSH service with
/etc/init.d/sshd reload
Deactivating SSH login as root user
- Connect to the controller and log in as the
rootuser. - Remove the file /etc/rfs/rw/upperdir/etc/ssh/sshd_config from the file system of your controller.
- Reboot the controller.
Related Topics
• Published/reviewed: 2023-09-25 • Revision 059 •