# Executing commands ### Security notice The execution of commands must be allowed in the rport client configuration file `/etc/rport/rport.conf` on Linux or `C:\Program Files\rport\rport.conf` on Windows. You can create a list of allowed commands and a list of disallowed commands. This allows fine-grained filtering. {% code title="rport.conf" %} ``` [remote-commands] ## Enable or disable execution of remote commands sent by server. ## Defaults: true #enabled = true ## Allow commands matching the following regular expressions. ## The filter is applied to the command sent. Full path must be used. ## See {order} parameter for more details how it's applied together with {deny}. ## Defaults: ['^/usr/bin/.*','^/usr/local/bin/.*','^C:\\Windows\\System32\\.*'] #allow = ['^/usr/bin/.*','^/usr/local/bin/.*','^C:\\Windows\\System32\\.*'] ``` {% endcode %} See [all configuration options](https://github.com/cloudradar-monitoring/rport/blob/master/rport.example.conf#L132-L177) and more [configuration examples](https://oss.rport.io/docs/no06-command-execution.html#securing-your-environment). {% hint style="warning" %} Allowing remote command without restrictions makes the RPort server very powerful. Persons who have access to the RPort server API or the webinterface can take full control of connected clients. \ 👉 It's highly recommended to use [two-factor authentication](/install-the-rport-server/enable-two-factor-authentication.md). {% endhint %} ### Multiple commands It is possible to execute multiple commands. On Windows, you must concatenate the commands with a single ampersand `&`. On Linux, you can use line breaks or the semicolon. ![Execution of two command in a single run.](/files/-MkgPeOtxjyzyFqvfq9S) Bear in mind that the concatenation signs `&`, `;` , `\n` must be allowed by the regular expression on the command restrictions. ### 👺Pitfalls If you only want to allow a limited set of commands, pay special attention to the deny rules. Look at the following example. {% code title="rport.conf" %} ``` allow = ['^systemctl (status|restart).*'] deny = [] order = ['allow','deny'] ``` {% endcode %} These rules are leading to an unrestricted command execution because `systemctl (status|restart)` can be followed by any character. For example, `systemctl status cron;poweroff` is possible. If you want to allow just single command but with parameters, you must deny all characters that allow command concatenation. {% code title="rport.conf" %} ``` deny = ['(\||<|>|;|,|\n|&)'] ``` {% endcode %} ![Command concatenation rejected.](/files/-MkgUbCwVUNzeTpyuAsf) ### Windows PowerShell Command are always executed on the `cmd.exe` shell of Windows. To execute a PowerShell command, you must prefix the command with `powershell`, for example, `powershell "Get-Service spooler"`. ![Executing powershell commands](/files/-MkgWJDSNdcQNIst7PW1) If you only want to allow restarting any service via PowerShell change your configuration as follows. ``` allow = ['^powershell \"(Get|Restart)-Service .*\"'] deny = ['(\||<|>|;|,|\n|&)'] order = ['allow','deny'] ``` {% hint style="info" %} While the PowerShell is case insentive, the regular expression for the filtering are not. They are case sensitive and the commands must by typed in with the correct capitalization. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kb.rport.io/digging-deeper/commands-and-scripts/executing-commands.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.