12 replies

Headless macOS node: bash -c always denied despite exec-approvals allowlist

✅Solved

How do I allow bash -c on a headless macOS node with no companion app UI? askFallback: full in exec-approvals.json still denies shell wrappers.

Solution

Yeah — keeping an allowlist is the right instinct.

The catch is: “allowlist +
bash -c '<anything>'
bash -c '<anything>'
” is basically a contradiction from a security POV.

- If you allowlist
/bin/bash
/bin/bash
, then

bash -c "…"

bash -c "…"

can run any program the user account can run. At that point your “allowlist” isn’t meaningfully constraining execution anymore (it only constrains “must go through bash”).
- If you don’t allowlist bash, then

bash -c …

bash -c …

will (correctly) be treated as an allowlist miss / wrapper and get denied.

The intended safe pattern (works headless)

Don’t wrap in

bash -c

bash -c

at all. Send the actual shell snippet, and allowlist the real executables you want to permit.

OpenClaw already runs string commands on macOS nodes via a shell wrapper (

/bin/sh -lc <command>

/bin/sh -lc <command>

), but the allowlist logic is applied to the inner command segments (e.g.

rg

rg

git

git

python

python

), not to

/bin/sh

/bin/sh

.

So instead of:

bash -c 'rg foo . | jq -r .bar'

bash -c 'rg foo . | jq -r .bar'

Jump to solution

FotC�

Friends of the Crustacean 🦞🤝•2w ago•

12 replies

mannewalis

Headless macOS node: bash -c always denied despite exec-approvals allowlist

✅Solved

How do I allow bash -c on a headless macOS node with no companion app UI? askFallback: full in exec-approvals.json still denies shell wrappers.

Solution

bash -c "…"

bash -c "…"

bash -c …

bash -c …

will (correctly) be treated as an allowlist miss / wrapper and get denied.

The intended safe pattern (works headless)

Don’t wrap in

bash -c

bash -c

at all. Send the actual shell snippet, and allowlist the real executables you want to permit.

OpenClaw already runs string commands on macOS nodes via a shell wrapper (

/bin/sh -lc <command>

/bin/sh -lc <command>

), but the allowlist logic is applied to the inner command segments (e.g.

rg

rg

git

git

python

python

), not to

/bin/sh

/bin/sh

.

So instead of:

bash -c 'rg foo . | jq -r .bar'

bash -c 'rg foo . | jq -r .bar'

Jump to solution

Headless macOS node: bash -c always denied despite exec-approvals allowlist

The intended safe pattern (works headless)

Similar Threads

Headless macOS node: bash -c always denied despite exec-approvals allowlist

The intended safe pattern (works headless)

Similar Threads

Similar Threads

Similar Threads