Group and file permissions
TwinCAT/BSD uses the access control list that is also used by other Unix-like systems. There are generally three types of users for whom you can define permissions: owner of the files, owner's group and all other users (Owner / Group / Other). For each user type, you can set write, read, and execute permissions for a file.
View the permissions of files and directories in one place with ls –l
Administrator@CX-0C8440$ ls –l
total 10
-rw-r--r-- 1 root Administrator 5 Dec 4 12:31 file
-rw-r--r-- 2 Administrator Administrator 10 Dec 4 15:29 test
drwxr-xr-x 3 Administrator Administrator 6 Dec 7 10:44 testdir
The first column contains the permission scheme, followed by the owner of the file and the owner's group. The permission scheme is divided into four parts. The first icon indicates the type of file, whether it is a file (-) or a directory (d). The next three icons show the owner's rights, the next three icons show the group's rights, and the last three icons show the rights for all other users. The first of these three icons indicates whether read permissions have been granted (r), the second whether write permissions have been granted (w), and the third icon indicates whether the file can be executed or a directory can be accessed (x). The permission scheme of the above output from ls -l can be read as follows:
Type | Owner | Group | Other |
|---|---|---|---|
- file | rw- read write | r-- read | r-- read |
- file | rw- read write | r-- read | r-- read |
d directory | rwx read write execute | r-x read execute | r-x read execute |
By default, a new file is given the rights -rw-r--r--, which means that new scripts must first be made executable. With the default permissions, even the superuser root cannot run the script.
To change the permissions remotely via your development computer, you can use WinSCP, described in the Twin-CAT/BSD documentation in chapter "Managing files with WinSCP client". Locally, the permissions can be changed via the program chmod. Enter man chmod for the local manual.
Create unprivileged users
It is advisable to use different users for different tasks, such as an "HMI user" or a "maintenance" user. Give each user the rights they need to perform their tasks, and make sure that only the responsible users can be given root rights. To create a user account, use the following command:
doas adduser
This will launch a wizard that will guide you through the user creation process. To edit a user, use doas chpass <Benutzer>
There are already some users that are shipped with the base system. In addition to the Administrator user, there are so-called system accounts. These accounts are not set up as interactive accounts and are only used to manage and run integrated programs.
Groups
Users are divided into one or more groups. When a new user is created, a group with the same name is created by default. Additionally, users with similar tasks can be assigned to a common group to have similar permissions. These permissions can be access to specific folders and files, as well as running programs.
Users assigned to the "wheel" group can be granted root rights. The preconfigured user "Administrator" is a "Wheel" member and obtains root rights by placing the command doas in front of programs and authenticating again with his password.
Change the group memberships and create new groups by editing /etc/group with doas ee /etc/group accordingly.
This file shows all available groups. Most of the groups shown are default groups and originate historically from Unix. For security reasons, these groups are assigned to system users who have a specific task. Otherwise, these programs would run with root rights without restrictions.
Restricting the use of the system
You can use so-called logon classes to define system resources and information that are made available to users.