Security Mechanisms

Important

All members of the codesysuser group can influence the runtime system.

Important

The following mechanisms are based on a Unix Domain Socket (UDS):

It is necessary for the IEC programmer to query error codes of the respective function block for these mechanisms and to react appropriately (example: establishing or aborting a connection).

Important

To prevent a workload attack, the Unix peers (Unix Domain Sockets) need to have at least the same priority or a higher priority than the IEC task itself. The UDS peers are the provided examples or the user-created programs which use the functions of the Extension API.

This priority is not the priority displayed in the task configuration of CODESYS. It can be determined on the Linux system by means of htop. This is a task which has the same name as the IEC task assigned in CODESYS.

Important

The PLC shell requires the "anonymous user". If this is enabled, then it is not possible to trace which Linux user has used the PLC shell.

Important

Due to the process separation, the new interfaces of the CODESYS Control Extension Package do not provide the capability of user authentication (from the point of view of the CODESYS Development System). It is not possible to assign a corresponding Linux user or user name to an IEC user.

As a result, not only the IEC users but also the Linux users have to be considered and administered accordingly when considering the security of the IEC application.

Only authorized users may have administrative access to the Linux system of the runtime system.

Important

In the case of interfaces which use process separation, it cannot be ruled out that data is passed unencrypted on the system. This means that an attacker with administrative permissions on the system could record them.