RPort
Search…
Executing commands
Execute command on a single client

Security notice

The execution of commands must be allowed in the rport client configuration file /etc/rport/rport.conf on Linux or C:\Program Files\rport\rport.conf on Windows.
You can create a list of allowed commands and a list of disallowed commands. This allows fine-grained filtering.
rport.conf
1
[remote-commands]
2
## Enable or disable execution of remote commands sent by server.
3
## Defaults: true
4
#enabled = true
5
6
## Allow commands matching the following regular expressions.
7
## The filter is applied to the command sent. Full path must be used.
8
## See {order} parameter for more details how it's applied together with {deny}.
9
## Defaults: ['^/usr/bin/.*','^/usr/local/bin/.*','^C:\\Windows\\System32\\.*']
10
#allow = ['^/usr/bin/.*','^/usr/local/bin/.*','^C:\\Windows\\System32\\.*']
Copied!
Allowing remote command without restrictions makes the RPort server very powerful. Persons who have access to the RPort server API or the webinterface can take full controll over connected clients. 👉 It's highly recommended to use two-factor authentication.

Multiple commands

It is possible to execute multiple commands. On Windows, you must concatenate the commands with a single ampersand &. On Linux, you can use line breaks or the semicolon.
Execution of two command in a single run.
Bear in mind that the concatenation signs &, ; , \n must be allowed by the regular expression on the command restrictions.

👺Pitfalls

If you only want to allow a limited set of commands, pay special attention to the deny rules. Look at the following example.
rport.conf
1
allow = ['^systemctl (status|restart).*']
2
deny = []
3
order = ['allow','deny']
Copied!
These rules are leading to an unrestricted command execution because systemctl (status|restart) can be followed by any character. For example, systemctl status cron;poweroff is possible. If you want to allow just single command but with parameters, you must deny all characters that allow command concatenation.
rport.conf
1
deny = ['(\||<|>|;|,|\n|&)']
Copied!
Command concatenation rejected.

Windows PowerShell

Command are always executed on the cmd.exe shell of Windows. To execute a PowerShell command, you must prefix the command with powershell, for example, powershell "Get-Service spooler".
Executing powershell commands
If you only want to allow restarting any service via PowerShell change your configuration as follows.
1
allow = ['^powershell \"(Get|Restart)-Service .*\"']
2
deny = ['(\||<|>|;|,|\n|&)']
3
order = ['allow','deny']
Copied!
While the PowerShell is case insentive, the regular expression for the filtering are not. They are case sensitive and the commands must by typed in with the correct capitalization.