Application-relevant changes 2025:
Changes of security features
Prevent using RTLD_GLOBAL when loading shared libraries
When loading shared libraries (e.g. ACF or PLM components) the flag RTLD_GLOBAL was used for the dlopen() system call. This causes the symbols of a loaded library to become globally visible and may result in executing an unintended function.
The RTLD_GLOBAL flag is omitted now when loading shared libraries. Compatibility issues are not expected regarding this issue.
Removing unprivileged folders from ld.so.conf
Up to firmware 2024.6, the following folders or entries have been put into the directory /etc/ld.so.conf :
/usr/local/lib include /opt/plcnext/appshome/ld.configs/*.conf
This was used to find user programs or *.so files that have dependencies on other *.so files but are not in the system. *.so files integrated into the system in this way are made known system-wide. They could therefore also be loaded by processes running under root privileges by mistake and thus cause all kinds of damage to the system. So that configuration needed to be removed.
From now on, programs and *.so files that have further dependencies but are not present in PLCnext Technology must enter a fixed search path (rpath). This happens at the time of creation (linking) of the program or of the *.so file, or later by using chrpath.
Redesign of remoting to platform and security requirements
Security mechanisms in remoting do not work under all circumstances. In particular, security is restricted if there is more than one process running. From a security point of view, splitting processes is necessary.
The only currently known effects are:
- multiple sessions (logins) within one TCP connection are no longer possible
- RSC services developed by users require new generation with the RSC generator
ACF can restrict capabilities and UID/GID of processes
These measures are intended to achieve a better separation of system functions and user applications, so that applications cannot cause any damage to the system:
Up to firmware 2024.6, the entire ARP framework ran within a few processes. In addition, all processes ran with the same rights in the system. For example, an application also received all rights from the user that are actually only required for system functionalities. This needed to be reworked.
In special cases, authorizations that have been possible for applications before may no longer be available in the system with firmware 2025.0 (and also in the preceding Preview 2024.7).
Verification of signed application update containers
Application updates should be protected against modification so that only correctly signed application update containers are accepted. In order to use this feature, the user must sign such containers and configure a trust list with CA certificates on the PLC.
This depends on the following steps:
- preparation of the
Commonslayer for support of ASIC-E containers which are zipped and signed collections of files - implementation of a new
Commonsclass for app signature validation.
No side effects on compatibility are expected.
App part types Linux Daemon and Shared Library
The app part types Linux Daemon and Shared Library are no longer supported. The reason given for this is the security risks that can emanate from these app part types.
Linux Daemon:
The Linux Daemon app part contained in the PLCnext App is integrated into the system by the AppManager in such a way that it is started with root privileges by the initialization system at system startup. Since the AppManager cannot check the Linux Daemon itself, malicious code in the form of processes, one-time programs or scripts can be infiltrated in this way and called or started with root privileges.
Shared Library:
The Shared Library app part contained in a PLCnext App is integrated into the system by the AppManager and made known to the entire system by calling ldconfig. The attack vector here is the possibility of replacing existing Shared Libraries app parts with the help of an app, and thus, injecting any programs with manipulated Shared Libraries that potentially contain malicious code without being noticed.