# Executing commands ### Security notice The execution of commands must be allowed in the rport client configuration file `/etc/rport/rport.conf` on Linux or `C:\Program Files\rport\rport.conf` on Windows. You can create a list of allowed commands and a list of disallowed commands. This allows fine-grained filtering. {% code title="rport.conf" %} ``` [remote-commands] ## Enable or disable execution of remote commands sent by server. ## Defaults: true #enabled = true ## Allow commands matching the following regular expressions. ## The filter is applied to the command sent. Full path must be used. ## See {order} parameter for more details how it's applied together with {deny}. ## Defaults: ['^/usr/bin/.*','^/usr/local/bin/.*','^C:\\Windows\\System32\\.*'] #allow = ['^/usr/bin/.*','^/usr/local/bin/.*','^C:\\Windows\\System32\\.*'] ``` {% endcode %} See [all configuration options](https://github.com/openrport/openrport/blob/master/rport.example.conf#L132-L177) and more [configuration examples](https://oss.openrport.io/get-started/command-execution/). {% hint style="danger" %} Allowing remote command without restrictions makes the RPort server very powerful. Persons who have access to the RPort server API or the webinterface can take full controll over connected clients. 👉 It's highly recommended to use two-factor authentication. {% endhint %} It is possible to execute multiple commands. On Windows, you must concatenate the commands with a single ampersand `&`. On Linux, you can use line breaks or the semicolon. ![Execution of two command in a single run.](https://1142160776-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MekeI9EovpQqbUTQSdM%2F-MkgLKp8Dwv6BDMpOzvl%2F-MkgPeOtxjyzyFqvfq9S%2Fimage.png?alt=media\&token=b1c5f3a5-c453-4bf4-8392-c95fe1a736e5) Bear in mind that the concatenation signs `&`, `;` , must be allowed by the regular expression on the command restrictions. ### 👺Pitfalls If you only want to allow a limited set of commands, pay special attention to the deny rules. Look at the following example. {% code title="rport.conf" %} ``` allow = ['^systemctl (status|restart).*'] deny = [] order = ['allow','deny'] ``` {% endcode %} These rules are leading to an unrestricted command execution because `systemctl (status|restart)` can be followed by any character. For example, `systemctl status cron;poweroff` is possible. If you want to allow just single command but with parameters, you must deny all characters that allow command concatenation. ![Command concatenation rejected.](https://1142160776-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MekeI9EovpQqbUTQSdM%2F-MkgLKp8Dwv6BDMpOzvl%2F-MkgUbCwVUNzeTpyuAsf%2Fimage.png?alt=media\&token=17d2a7b3-a5d4-4e70-90c8-e5dc5d49581b) Command are always executed on the `cmd.exe` shell of Windows. To execute a PowerShell command, you must prefix the command with `powershell`, for example, `powershell "Get-Service spooler"`. ![Executing powershell commands](https://1142160776-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MekeI9EovpQqbUTQSdM%2F-MkgLKp8Dwv6BDMpOzvl%2F-MkgWJDSNdcQNIst7PW1%2Fimage.png?alt=media\&token=da448d44-8545-4a87-8bde-3f1ffdfa1a56) If you only want to allow restarting any service via PowerShell change your configuration as follows. ``` allow = ['^powershell \"(Get|Restart)-Service .*\"'] deny = ['(\||<|>|;|,|\n|&)'] order = ['allow','deny'] ``` {% hint style="info" %} While the PowerShell is case insentive, the regular expression for the filtering are not. They are case sensitive and the commands must by typed in with the correct capitalization. {% endhint %}