RPort
Search
K
Links
Comment on page

Executing commands

Execute command on a single client

Security notice

The execution of commands must be allowed in the rport client configuration file /etc/rport/rport.conf on Linux or C:\Program Files\rport\rport.conf on Windows.
You can create a list of allowed commands and a list of disallowed commands. This allows fine-grained filtering.
rport.conf
[remote-commands]
## Enable or disable execution of remote commands sent by server.
## Defaults: true
#enabled = true
## Allow commands matching the following regular expressions.
## The filter is applied to the command sent. Full path must be used.
## See {order} parameter for more details how it's applied together with {deny}.
## Defaults: ['^/usr/bin/.*','^/usr/local/bin/.*','^C:\\Windows\\System32\\.*']
#allow = ['^/usr/bin/.*','^/usr/local/bin/.*','^C:\\Windows\\System32\\.*']
Allowing remote command without restrictions makes the RPort server very powerful. Persons who have access to the RPort server API or the webinterface can take full controll over connected clients. 👉 It's highly recommended to use two-factor authentication.

Multiple commands

It is possible to execute multiple commands. On Windows, you must concatenate the commands with a single ampersand &. On Linux, you can use line breaks or the semicolon.
Execution of two command in a single run.
Bear in mind that the concatenation signs &, ; , \n must be allowed by the regular expression on the command restrictions.

👺Pitfalls

If you only want to allow a limited set of commands, pay special attention to the deny rules. Look at the following example.
rport.conf
allow = ['^systemctl (status|restart).*']
deny = []
order = ['allow','deny']
These rules are leading to an unrestricted command execution because systemctl (status|restart) can be followed by any character. For example, systemctl status cron;poweroff is possible. If you want to allow just single command but with parameters, you must deny all characters that allow command concatenation.
rport.conf
deny = ['(\||<|>|;|,|\n|&)']
Command concatenation rejected.

Windows PowerShell

Command are always executed on the cmd.exe shell of Windows. To execute a PowerShell command, you must prefix the command with powershell, for example, powershell "Get-Service spooler".
Executing powershell commands
If you only want to allow restarting any service via PowerShell change your configuration as follows.
allow = ['^powershell \"(Get|Restart)-Service .*\"']
deny = ['(\||<|>|;|,|\n|&)']
order = ['allow','deny']
While the PowerShell is case insentive, the regular expression for the filtering are not. They are case sensitive and the commands must by typed in with the correct capitalization.