LinuxRT User Permissions Report

Jacobson · ‎02-05-2025

We're delivering a system that has a cRIO and were given the requirement to "ensure that only authorized personnel from [company] have the ability to delete, modify and move critical files". Is there some standard way in Linux to produce some output that we could use to check this box?

For the admin account I think we should be fine by setting some default password and explaining how to update the password upon delivery but I'm less sure about the lvuser account and exactly what permissions that has. We've been careful about giving lvuser additional permissions but I'm not really sure what permissions lvuser has by default.

I'm concerned about the lvuser account because we're making use of the embedded UI and I haven't found a simple way to stop the user from getting into the terminal. Even though the application is set to full screen and we've disable ctrl keys and the close/minimize window but users can still plug in a keyboard and press alt+space to close out of the application window.

SumRunner · ‎02-06-2025

We have a secure profile that we've developed for cRIO, and we recommend that you configure your cRIO to this profile. It addresses the concerns you raised about accounts, file access, and a number of other security concerns.

We are about to release it - it depends on a kernel update that is coming out soon. But contact me and I share what we have and figure out the best way for you to deliver this project. steve.summers@emerson.com.

B.Settles · ‎02-10-2025

@SumRunner Are you referring to the "lvuser" account or some other account?

"All truths are easy to understand once they are discovered; the point is to discover them." -- Galileo Galilei

SumRunner · ‎02-10-2025

The embedded UI doesn't have a login manager, so when you run embedded UI you are running as the lvuser. For the best security, disable embedded UI. If you run the SNAC configuration utility, it will disable embedded UI for this reason.

Jacobson · ‎02-11-2025

@SumRunner wrote:
We have a secure profile that we've developed for cRIO, and we recommend that you configure your cRIO to this profile. It addresses the concerns you raised about accounts, file access, and a number of other security concerns.

We are about to release it - it depends on a kernel update that is coming out soon. But contact me and I share what we have and figure out the best way for you to deliver this project. steve.summers@emerson.com.

Few questions about this:

Is this separate from the nilrt-snac repo that's on GitHub?
You specifically mention cRIO but I'm guessing that's because of my post and this configuration would be valid for RT PXI controllers as well, correct?
Would you anticipate this working well with VeriStand?

Right now, for this project, I think we'll first see if the customer comes back with any objections but we'll need to do this often enough for other projects so this sounds interesting.

SumRunner · ‎02-11-2025

This is the NILRT-SNAC repo is on GitHub. But there is a new version to be released soon that makes significant improvements. I can share this with you if you email me.

This applies to both cRIO and PXI running NILRT. It's the same OS for both platforms.

Fully locked down in this mode, it doesn't fully work with VeriStand. Once it's locked down, you can open up parts of it to make it work with VeriStand, just document what had to be opened up for your customer. With that information, they can plan for other protections at the system level.

email me directly for more information, steve.summers@emerson.com.

Test System Security

LinuxRT User Permissions Report

LinuxRT User Permissions Report

Re: LinuxRT User Permissions Report

Re: LinuxRT User Permissions Report

Re: LinuxRT User Permissions Report

Re: LinuxRT User Permissions Report

Re: LinuxRT User Permissions Report