diff --git a/command/agent/config.go b/command/agent/config.go index f91853cdde..efb15e9757 100644 --- a/command/agent/config.go +++ b/command/agent/config.go @@ -235,6 +235,10 @@ type Config struct { // agent layer using the standard APIs. Watches []map[string]interface{} `mapstructure:"watches"` + // DisableRemoteExec is used to turn off the remote execution + // feature. This is for security to prevent unknown scripts from running. + DisableRemoteExec bool `mapstructure:"disable_remote_exec"` + // AEInterval controls the anti-entropy interval. This is how often // the agent attempts to reconcile it's local state with the server' // representation of our state. Defaults to every 60s. @@ -676,6 +680,9 @@ func MergeConfig(a, b *Config) *Config { if len(b.WatchPlans) != 0 { result.WatchPlans = append(result.WatchPlans, b.WatchPlans...) } + if b.DisableRemoteExec { + result.DisableRemoteExec = true + } // Copy the start join addresses result.StartJoin = make([]string, 0, len(a.StartJoin)+len(b.StartJoin)) diff --git a/command/agent/config_test.go b/command/agent/config_test.go index 75c0610a9e..bf939a6981 100644 --- a/command/agent/config_test.go +++ b/command/agent/config_test.go @@ -405,6 +405,17 @@ func TestDecodeConfig(t *testing.T) { if !reflect.DeepEqual(out, exp) { t.Fatalf("bad: %#v", config) } + + // remote exec + input = `{"disable_remote_exec": true}` + config, err = DecodeConfig(bytes.NewReader([]byte(input))) + if err != nil { + t.Fatalf("err: %s", err) + } + + if !config.DisableRemoteExec { + t.Fatalf("bad: %#v", config) + } } func TestDecodeConfig_Service(t *testing.T) { @@ -566,6 +577,7 @@ func TestMergeConfig(t *testing.T) { "handler": "foobar", }, }, + DisableRemoteExec: true, } c := MergeConfig(a, b)