The commandPath property

Use the commandPath property to restrict the locations that WebSphere® MQ Managed File Transfer can run commands from.

You can specify a command to be run on the system where the agent is running from the managed transfer and managed call functions of WebSphere MQ Managed File Transfer. See Program invocation for information. However, commands must be on paths referenced by the commandPath agent property.

If the command specified is not fully qualified, WebSphere MQ Managed File Transfer attempts to find a matching command on the command path. If there is more than one matching command on the command path, the first match is used.

By default, the commandPath property is empty so that the agent cannot call any commands. Take extreme care when you set this property because any command in one of the specified commandPaths can effectively be called from a remote client system that is able to send commands to the agent. For this reason, by default, when you specify a commandPath, sandboxing is configured so that all commandPath directories are automatically denied access for a transfer. You can set the sandboxRoot property to override this default behavior, but you are not recommended to do so, because this effectively enables a client to transfer any command to the agent's system and call that command.

Specify the commandPath agent property as follows:
commandPath=command_directory_name separator...command_directory_name

where:
  • command_directory_name is a directory path for commands that can be run.
  • separator is the platform-specific separator.

For example, on a UNIX system if you want to run commands that are located in the directories /home/user/cmds1 and /home/user/cmds2, set the commandPath agent property as follows: 
commandPath=/home/user/cmds1:/home/user/cmds2

For example, on a Windows system if you want to run commands that are located in the directories C:\File Transfer\commands and C:\File Transfer\agent commands, set the commandPath agent property as follows: 
commandPath=C:\\File Transfer\\commands;C:\\File Transfer\\agent commands
On a Windows system the separator character, backslash (\), must be escaped and be entered as a double backslash (\\). The backslash character (\) can also be replaced with a forward slash (/).

For example, on an IBM® 4690 system the separator character is a semicolon (;). To run commands that are located in the directories f:/fteuser/cmds and mqftcmds:/public where mqftcmds is an IBM 4690 logical name defined to a directory that contains the commands, set the commandPath agent property as follows:
commandPath=f:/fteuser/cmds;mqftcmds:/public

The commandPath property is described in Table 2.