In the default agent configuration the DenyKey section is above the AllowKey section. Therefore, any system.run[...] item matches the predefined DenyKey=system.run[*] entry and is denied. To fix, move the AllowKey section before the DenyKey section.
Steps to reproduce:
- Install the agent in version 5.0. Set EnableRemoteCommands=1. Do not modify the configuration with regard to the DenyKey, AllowKey options.
- Attempt to request "system.run[echo 1]". It fails as expected.
- Add an AllowKey configuration item: AllowKey=system.run[echo 1].
- Try the item again. It still fails, contrary to expectation.
- In the configuration file, move the AllowKey section above the DenyKey section.
- Try again. The "echo 1" item is correctly executed while other system.run[...] items are disabled as expected.