Access control lists (ACLs)

Along with the user roles and rights concept of PLCnext Technology, PLCnext Control devices in general are using the Linux® attributes on the file level from the beginning. In addition, PLCnext Technology devices developed to be secure by default (e. g. VPLCNEXT CONTROL 1000) are using another layer of access permission definition by implementing the POSIX™ access control lists (ACLs). This way, PLCnext Technology also implements adaptive restrictions on file/folder level. 

These measures are necessary for hardening the file system against several attack vectors and to provide simple and secure means for configuring permissions. On the long run, each process will only get the required privileges and resources, which also contributes to more performance and stability of users' applications.

For standard folders see Firmware directories; note the directories marked with the  icon.

POSIX™ file system ACLs

On secure-by-default devices, also ACLs of the Portable Operating System Interface (POSIX™, ISO/IEC/IEEE 9945) are implemented. This second generation of PLCnext Technology devices comes with the most secure default settings. 

POSIX™ ACLs provide flexible permissions in multiple user and group settings, predefined in access ACLs with permissions for files and directories. For new files and directories, default ACLs can provide different permissions.

Symbolic notation

The POSIX™ file and folder permissions are stored as extended attributes in the file system as a 10-digits symbolic notation:
A leading file type marker, three blocks for owner/group/others with  r for read, w for write, and x for execute, or a dash for no permissions:

Symbolic example Description
---------- no permissions
-rwx------ read, write, execute only for owner
-rwxrwx--- read, write, execute for owner and group
-rwxrwxrwx read, write, execute for owner, group and others
-rwxr----- owner can read, write, execute; group can only read; others have no permissions

How to

  • To check whether an ACL is defined for a file or folder, issue the Linux® ls -l command and look for a + after the file attributes.
  • To view file restrictions, issue the Linux® getfacl command for a specific file/folder.
  • To modify the attributes, issue the Linux® setfacl command for a specific file/folder.

 

 

 

• Published/reviewed: 2025-05-28  ✿  Revision 079 •