Script and command execution

Command execution

Enabling script and command execution is not global and it is not an either/or decision. You can control which commands are allowed and which are not on a fine-grained level. See the example below.

[remote-commands]
  ## Enable or disable execution of remote commands sent by server.
  ## Defaults: true
  #enabled = true

  ## Limit the maximum length of the command output that is sent back to server.
  ## Applies to the stdout and stderr separately.
  ## If exceeded {send_back_limit} bytes are sent.
  ## Defaults: 2048
  #send_back_limit = 2048

  ## Allow commands matching the following regular expressions.
  ## The filter is applied to the command sent. Full path must be used.
  ## See {order} parameter for more details how it's applied together with {deny}.
  ## Defaults: ['^/usr/bin/.*','^/usr/local/bin/.*','^C:\\Windows\\System32\\.*']
  #allow = ['^/usr/bin/.*','^/usr/local/bin/.*','^C:\\Windows\\System32\\.*']

  ## Deny commands matching one of the following regular expressions.
  ## The filter is applied to the command sent. Full path must be used.
  ## See {order} parameter for more details how it's applied together with {allow}.
  ## With the below default filter only single commands are allowed.
  ## Defaults: ['(\||<|>|;|,|\n|&)']
  #deny = ['(\||<|>|;|,|\n|&)']

  ## Order: ['allow','deny'] or ['deny','allow']. Order of which filter is applied first.
  ## Defaults: ['allow','deny']
  ##
  ## order: ['allow','deny']
  ## First, all allow directives are evaluated; at least one must match, or the command is rejected.
  ## Next, all deny directives are evaluated. If any matches, the command is rejected.
  ## Last, any commands which do not match an allow or a deny directive are denied by default.
  ## Example:
  ## allow: ['^/usr/bin/.*']
  ## deny: ['^/usr/bin/zip']
  ## All commands in /usr/bin except '/usr/bin/zip' can be executed. Full path must be used.
  ##
  ## order: ['deny','allow']
  ## First, all deny directives are evaluated; if any match,
  ## the command is denied UNLESS it also matches an allow directive.
  ## Any command which do not match any allow or deny directives are permitted.
  ## Example:
  ## deny: ['.*']
  ## allow: ['zip$']
  ## All commands are denied except those ending in zip.
  ##
  #order = ['allow','deny']
PreviousSupervision of OS updatesNextAdvanced client management

Last updated

Was this helpful?