User rights

Default user

PLCnext Controls are supplied with a preset admin user and a default password that is printed on the controller's housing. 
Security shield Security note: Use the default admin password only for initial access and change it as soon as possible!

admin user

When a user logs onto a PLCnext Control with the admin user, the user is also recognized with the same name and password by the Linux® system. The user is therefore assigned to the plcnext group of the Linux® system. Files that this user may read, write to and/or execute are assigned to the plcnext group file system.

plcnext_firmware user

The plcnext_firmware user is another major user in the Linux system. It is permanently integrated and is used for starting the PLCnext firmware processes. In the Linux system, the user has the rights to execute all the operations required.
In addition to the Linux user rights, the PLCnext Technology firmware also has its own user management. Its configuration is described in User Authentication.

Override with sudo

Executing Linux commands that require higher rights is made possible for the users via sudo. Which Linux commands the PLCnext users are allowed to execute via sudo is being configured in the Linux system.

Default rights settings

The following rights are available:

Rights plcnext group admin sudo required
Setting and inspecting IP settings (including ifconfig, ping, netstat, etc.)
(for ifconfig)
Configuring the firewall
Starting/stopping the firewall (init script)
Inspecting the firewall with nft
Configuring VPN (IPsec and OpenVPN™)
Starting/stopping VPN services (IPsec and OpenVPN™)
Editing the Default PLCnext folder for individual ACF, ESM, GDS configurations, and *.so
Starting/stopping the PLCnext Technology firmware processes with sudo /etc/init.d/plcnext start|stop|restart
Reading PLCnext log files
Calling and configuring TOP/HTOP
Firmware update via update script with sudo update-plcnext
Configuring the NTP server
Setting the root password with passwd
Requesting the system time with date
Setting the system time with sudo date -s
Restarting/shutting down the controller with reboot or shutdown
Write access to /opt/plcnext and /opt/plcnext/projects
Recording network traces with tcpdump
Starting the gdbserver with root rights (see C++ remote debugging )
Resetting to factory defaults with sudo recover-plcnext 1 (see also Factory reset)

Root rights

For some commands you require advanced rights. To this end, the root user password needs to be set while the root user itself already exists under the Linux® system.

Risk of personal injury or damage to equipment

With active root user access, the controller must not be used for live operation.

Before live operation of the controller return to an appropriate user role and remove the root user password.

Security Note: With root user access, you can make unlimited changes on the controller. Root rights are therefore only suitable for qualified application programmers and software engineers with relevant experience.
  • Avoid making changes to the PLCnext Technology firmware or Operating System itself. If changes are necessary, see Overlay File System for details.
  • Do not supply the device with an already set password for the root user.
  • Remove the root password as soon as root user access is not required any more.

Setting a root user password

  • Connect to the controller via its IP address and log in as admin user. The default password for the admin user is printed on the controller's housing.
  • Enter this command:
    sudo passwd root
  • To authorize this command, enter the admin user's password .
  • Enter a new password for the root user (minimum 5 characters, preferably consisting of upper-case and lower-case letters plus numbers).
  • Confirm the new password by entering it again.
    Show the screenshotShow the screenshot
    console2

Using the root user

  • Connect to the controller via its IP address and log in as admin user. The default password for the admin user is printed on the controller's housing.
  • Switch to the root user with the su - command and the root user's password.
  • Perform the activities that need the root user's rights.
  • Once you have executed all the activities as the root user, change back to the previous user role (e.g., admin) using the exit command.

Removing the root password

If the root user is no longer required, remove the password. This prevents unauthorized users from modifying the firmware.

  • Connect to the controller via its IP address and log in as admin user. The default password for the admin user is printed on the controller's housing.
    Security shield Security note: Use the default admin password only for initial access and change it as soon as possible!
  • In the shell or command line interface, enter this command: sudo passwd -dl root.

After that, the root user stays present on the controller. Before using it again you have to set a new password.

Recommended: The easiest way to undo changes to the root user is a reset to default setting type 1. This will also remove the root user's password.

SSH login as root user

By default, the SSH login as a root user is prevented for security reasons. Nevertheless, they are some cases where the SSH login as the root user is necessary to perform commands that are reserved for the root user under a secure SSH connection.

To log in as a root user, the root user password must be set.

Security Note: With root user access, you can make unlimited changes on the controller. Root rights are therefore only suitable for qualified application programmers and software engineers with relevant experience.
  • Avoid making changes to the PLCnext Technology firmware or Operating System itself. If changes are necessary, see Overlay File System for details.
  • Do not supply the device with an already set password for the root user.
  • Remove the root password as soon as root user access is not required any more.

To enable or disable direct login via SSH for the root user, you have to configure this in the sshd_config file as shown here:

Activating SSH login as root user

  • Connect to the controller and log in as the root user.
  • Open the /etc/ssh/sshd_config file with a suitable editor.
  • In the # Authentication: section, enable the PermitRootLogin yes entry that is commented out by default.
  • Restart the SSH service with /etc/init.d/sshd reload

Deactivating SSH login as root user

  • Connect to the controller and log in as the root user.
  • Remove the file /etc/rfs/rw/upperdir/etc/ssh/sshd_config from the file system of your controller.
  • Reboot the controller. 

 


• Published/reviewed: 2024-12-19  ☃  Revision 076 •