Script and command execution

Command execution

Enabling script and command execution is not global and it is not an either/or decision. You can control which commands are allowed and which are not on a fine-grained level. See the example below.

[remote-commands]
  ## Enable or disable execution of remote commands sent by server.
  ## Defaults: true
  #enabled = true

  ## Limit the maximum length of the command output that is sent back to server.
  ## Applies to the stdout and stderr separately.
  ## If exceeded {send_back_limit} bytes are sent.
  ## Defaults: 2048
  #send_back_limit = 2048

  ## Allow commands matching the following regular expressions.
  ## The filter is applied to the command sent. Full path must be used.
  ## See {order} parameter for more details how it's applied together with {deny}.
  ## Defaults: ['^/usr/bin/.*','^/usr/local/bin/.*','^C:\\Windows\\System32\\.*']
  #allow = ['^/usr/bin/.*','^/usr/local/bin/.*','^C:\\Windows\\System32\\.*']

  ## Deny commands matching one of the following regular expressions.
  ## The filter is applied to the command sent. Full path must be used.
  ## See {order} parameter for more details how it's applied together with {allow}.
  ## With the below default filter only single commands are allowed.
  ## Defaults: ['(\||<|>|;|,|\n|&)']
  #deny = ['(\||<|>|;|,|\n|&)']

  ## Order: ['allow','deny'] or ['deny','allow']. Order of which filter is applied first.
  ## Defaults: ['allow','deny']
  ##
  ## order: ['allow','deny']
  ## First, all allow directives are evaluated; at least one must match, or the command is rejected.
  ## Next, all deny directives are evaluated. If any matches, the command is rejected.
  ## Last, any commands which do not match an allow or a deny directive are denied by default.
  ## Example:
  ## allow: ['^/usr/bin/.*']
  ## deny: ['^/usr/bin/zip']
  ## All commands in /usr/bin except '/usr/bin/zip' can be executed. Full path must be used.
  ##
  ## order: ['deny','allow']
  ## First, all deny directives are evaluated; if any match,
  ## the command is denied UNLESS it also matches an allow directive.
  ## Any command which do not match any allow or deny directives are permitted.
  ## Example:
  ## deny: ['.*']
  ## allow: ['zip$']
  ## All commands are denied except those ending in zip.
  ##
  #order = ['allow','deny']

PreviousSupervision of OS updates NextAdvanced client management

Last updated 1 year ago

[remote-commands] ## Enable or disable execution of remote commands sent by server. ## Defaults: true #enabled = true ## Limit the maximum length of the command output that is sent back to server. ## Applies to the stdout and stderr separately. ## If exceeded {send_back_limit} bytes are sent. ## Defaults: 2048 #send_back_limit = 2048 ## Allow commands matching the following regular expressions. ## The filter is applied to the command sent. Full path must be used. ## See {order} parameter for more details how it's applied together with {deny}. ## Defaults: ['^/usr/bin/.*','^/usr/local/bin/.*','^C:\\Windows\\System32\\.*'] #allow = ['^/usr/bin/.*','^/usr/local/bin/.*','^C:\\Windows\\System32\\.*'] ## Deny commands matching one of the following regular expressions. ## The filter is applied to the command sent. Full path must be used. ## See {order} parameter for more details how it's applied together with {allow}. ## With the below default filter only single commands are allowed. ## Defaults: ['(\||<|>|;|,|\n|&)'] #deny = ['(\||<|>|;|,|\n|&)'] ## Order: ['allow','deny'] or ['deny','allow']. Order of which filter is applied first. ## Defaults: ['allow','deny'] ## ## order: ['allow','deny'] ## First, all allow directives are evaluated; at least one must match, or the command is rejected. ## Next, all deny directives are evaluated. If any matches, the command is rejected. ## Last, any commands which do not match an allow or a deny directive are denied by default. ## Example: ## allow: ['^/usr/bin/.*'] ## deny: ['^/usr/bin/zip'] ## All commands in /usr/bin except '/usr/bin/zip' can be executed. Full path must be used. ## ## order: ['deny','allow'] ## First, all deny directives are evaluated; if any match, ## the command is denied UNLESS it also matches an allow directive. ## Any command which do not match any allow or deny directives are permitted. ## Example: ## deny: ['.*'] ## allow: ['zip$'] ## All commands are denied except those ending in zip. ## #order = ['allow','deny']