问题描述
在使用 OpenClaw Node 执行远程命令时,遇到 `SYSTEM_RUN_DENIED: approval required` 错误,明明已设置 `security: full` 和 `ask: off`,配置显示正确但仍被拒绝。
环境信息
- **OpenClaw 版本**: 2026.5.28
- **架构**: Gateway (multi-server) + Node (Work-PC)
- **操作系统**: Gateway (Ubuntu), Node (Windows + WSL2)
- **目标**: 在 Node 上执行 SQLite 查询 WorkSnap 数据库
错误现象
# 在 Gateway 执行exec(host="node", command="hostname")# 返回UNAVAILABLE: SYSTEM_RUN_DENIED: approval required排查过程
1. 检查 Gateway 配置
openclaw config get配置正确:
{ "tools": { "exec": { "security": "full", "ask": "off", "host": "auto" } }, "agents": { "list": [{ "id": "main", "tools": { "exec": { "node": "6009e1d3f068e1cab0dcf9c99060b292739a19c2076198cec06ff1922a3bd555" } } }] }}2. 检查 Node approvals 配置
cat ~/.openclaw/exec-approvals.json初始配置(有问题的版本):
{ "version": 1, "socket": { "path": "/home/administrator/.openclaw/exec-approvals.sock", "token": "Uh_SGs…xr1n" }, "defaults": { "security": "full", "ask": "off", "askFallback": "full", "autoAllowSkills": true }, "agents": {}}3. 验证 effective policy
openclaw approvals get --node Work输出显示配置正确读取:
Effective Policy┌────────────┬────────────────────────┬───────────────────────┬────────────────────┐│ Scope │ Requested │ Effective │ Notes │├────────────┼────────────────────────┼───────────────────────┼────────────────────┤│ tools.exec │ security=full, ask=off │ security=full, ask=off │ requested applies │└────────────┴────────────────────────┴───────────────────────┴────────────────────┘4. 尝试的解决方案(均无效)
- ✅ 修改 Gateway `openclaw.json`:`tools.exec.ask: off`
- ✅ 修改 Node `exec-approvals.json`:移除 `permissions` 字段
- ✅ 重启 Node 服务:`systemctl --user restart openclaw-node`
- ✅ 重启 Gateway:`openclaw gateway stop && openclaw gateway start`
- ✅ 检查 Node 日志:无错误信息
- ✅ 查阅官方文档和 GitHub issue
根本原因
**`exec-approvals.json` 中的 `socket` 字段阻止了配置生效。**
当 `socket` 字段存在时,OpenClaw 会尝试通过 Unix socket (`exec-approvals.sock`) 通信来获取 approvals 配置。如果:
1. Socket 文件不存在
2. Socket 文件权限不正确
3. Socket 通信失败
则回退到某个默认行为(可能是 deny),导致配置文件中的 `security: full` 和 `ask: off` 被忽略。
解决方案
**删除 `exec-approvals.json` 中的 `socket` 字段。**
修复后的配置:
{ "version": 1, "defaults": { "security": "full", "ask": "off", "askFallback": "full", "autoAllowSkills": true }, "agents": {}}然后重启 Node 服务:
systemctl --user restart openclaw-node验证修复:
# Gateway 端测试exec(host="node", command="hostname")# 返回DESKTOP-46MKU59 ✅ 成功!验证 YOLO 模式完整配置
Gateway 端
openclaw config set tools.exec.security fullopenclaw config set tools.exec.ask off或直接编辑 `/root/.openclaw/openclaw.json`:
{ "tools": { "exec": { "security": "full", "ask": "off" } }}Node 端
编辑 `~/.openclaw/exec-approvals.json`(**关键:不要包含 socket 字段**):
{ "version": 1, "defaults": { "security": "full", "ask": "off", "askFallback": "full", "autoAllowSkills": true }, "agents": {}}重启服务
# Node 端systemctl --user restart openclaw-node# Gateway 端openclaw gateway restart经验总结
1. **Socket 配置陷阱**:`exec-approvals.json` 中的 `socket` 字段是高级特性,用于 macOS App 的本地 IPC 通信。在无 UI 的 headless node 环境中,这个配置会导致 approvals 系统无法正常工作。
2. **YOLO 模式要点**:需要同时满足三层配置:
- Gateway: `tools.exec.security: full`, `tools.exec.ask: off`
- Node: `exec-approvals.json` defaults (`security`, `ask`, `askFallback`)
- **关键**:移除可能干扰的 `socket` 配置
3. **调试方法**:
- 用 `openclaw approvals get --node
- 检查 Node 日志:`journalctl --user -u openclaw-node`
- 确认配置文件格式正确(JSON 语法)
4. **文档参考**:
- [Exec approvals - OpenClaw](https://docs.openclaw.ai/tools/exec-approvals)
- [Node troubleshooting - OpenClaw](https://docs.openclaw.ai/nodes/troubleshooting)
- GitHub issue #58691, #7013
附录:完整配置示例
Gateway (`/root/.openclaw/openclaw.json`)
{ "tools": { "exec": { "security": "full", "ask": "off", "host": "auto" } }, "agents": { "list": [{ "id": "main", "tools": { "profile": "full", "exec": { "node": "" } } }] }} Node (`~/.openclaw/exec-approvals.json`)
{ "version": 1, "defaults": { "security": "full", "ask": "off", "askFallback": "full", "autoAllowSkills": true }, "agents": {}}---
**折腾时间**: 约 4 小时
**最终解决**: 删除一行配置
**记录时间**: 2026-05-31