mcp-linux-tools
Allows checking the status and reloading or restarting the Apache web server via systemd.
Allows checking the status and reloading or restarting the Docker service via systemd.
Provides safe Git commands for repository operations (no push/force).
Allows read-only MySQL database queries, blocking dangerous operations.
Allows checking the status and reloading or restarting the Odoo ERP service via systemd.
Allows checking the status and reloading or restarting the PHP-FPM service via systemd.
Allows checking the status and reloading or restarting the PostgreSQL database server via systemd.
Executes sandboxed Python code with no network access and an 8-second timeout.
Provides WP-CLI commands, cache flushing, plugin/user listing, and log tailing for WordPress sites.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@mcp-linux-toolscheck the status of nginx"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
π οΈ MCP Linux Tools β Complete Tool Reference for LLMs
π Description
MCP Linux Tools is an MCP (Model Context Protocol) server that exposes a secure, whitelisted set of operations on a Linux server. It allows AI assistants (such as Cursor) to perform controlled system administration tasks like reading logs, checking service status, managing cron jobs, running WP-CLI commands, and executing sandboxed Python codeβall through a uniform API with strict security constraints.
The server runs as a systemd service and communicates over HTTP. All operations are restricted by configurable whitelists (directories, services, WordPress sites). Tools return a uniform response contract {success, data, error, meta}.
Related MCP server: MCP Process Server
β¨ Features
π Metadata & Discovery β Server info, service whitelist, WordPress allowed sites
π File Operations β Read files, list directories, head/tail logs (whitelisted paths only)
βοΈ System Services β Check status, reload or restart whitelisted services
π Python Sandbox β Execute Python code (no network, 8s timeout)
β° Cron Management β List, add, remove, enable/disable cron jobs
π WordPress β WP-CLI runner, cache flush, plugin/user listing, log tailing
ποΈ Database β Read-only MySQL queries (dangerous queries blocked)
π‘ Network β Ping for connectivity testing
π Git β Safe Git commands (no push/force)
π¦ Installation
Requirements
Python 3.13 or higher
Root access (for systemctl and crontab)
Linux system with systemd
Step 1: Clone Repository
# Clone the MCP server repository to /opt/mcp
sudo mkdir -p /opt
cd /opt
sudo git clone https://github.com/gerard-kanters/mcp-linux-tools.git mcp
cd /opt/mcpStep 2: Create Python Virtual Environment
# Create virtual environment
sudo python3.13 -m venv /opt/mcp/venv
# Install dependencies
sudo /opt/mcp/venv/bin/pip install --upgrade pip
sudo /opt/mcp/venv/bin/pip install -r requirements.txt --break-system-packagesStep 3: Configure
Edit config.json and adjust the settings for your server:
Set
server_type(development or production)Set
server_ipto your server's IP addressSet
server_nameto identify this serverConfigure directory whitelists, service whitelist, and other settings as needed
See the Configuration section below for detailed information about all configuration options.
Step 4: Create Sandbox Directory
sudo mkdir -p /opt/mcp/sandbox
sudo chown root:root /opt/mcp/sandbox
sudo chmod 755 /opt/mcp/sandboxStep 5: Install Systemd Service
Create a service file: /etc/systemd/system/mcp-linux-tools.service
[Unit]
Description=MCP Linux Tools Server
After=network.target
[Service]
Type=simple
User=root
WorkingDirectory=/opt/mcp
ExecStart=/opt/mcp/venv/bin/python /opt/mcp/server.py
Restart=always
RestartSec=10
StandardOutput=journal
StandardError=journal
# Security settings
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/log /opt/mcp/sandbox
[Install]
WantedBy=multi-user.targetEnable and start the service:
sudo systemctl daemon-reload
sudo systemctl enable mcp-linux-tools.service
sudo systemctl start mcp-linux-tools.service
sudo systemctl status mcp-linux-tools.serviceStep 6: Cursor MCP Configuration
Add to your Cursor MCP configuration (usually ~/.cursor/mcp.json or in Cursor settings):
{
"mcpServers": {
"linux-tools": {
"command": "curl",
"args": [
"-X", "POST",
"http://192.168.1.22:8765/mcp",
"-H", "Content-Type: application/json",
"-d", "@-"
]
}
}
}Or use direct HTTP transport in Cursor MCP settings with:
URL:
http://192.168.1.22:8765/mcpTransport: HTTP
Verification
Check if the server is running:
# Check service status
sudo systemctl status mcp-linux-tools.service
# Check logs
sudo journalctl -u mcp-linux-tools.service -f
# Test HTTP endpoint
curl -X POST http://localhost:8765/mcp -H "Content-Type: application/json" -d '{"jsonrpc":"2.0","method":"tools/list","id":1}'Installing Updates
To update the MCP server:
cd /opt/mcp
sudo git pull origin main # or master, depending on your branch
sudo /opt/mcp/venv/bin/pip install -r requirements.txt --break-system-packages
sudo systemctl restart mcp-linux-tools.serviceImportant: After an update, check if config.json is still correct. New configuration options may have been added.
ποΈ Architecture
The server follows a modular MCP architecture:
server.pyβ Entrypoint: config loading, MCP setup, tool registration, run/retry/signal handlingconfig.pyβ Config loading and validation (fail-fast on missing fields)register_tools.pyβ Central tool registrationcore/β Core modules:errors.pyβ Error codes (DENIED_PATH, INVALID_INPUT, COMMAND_BLOCKED, etc.)models.pyβ Pydantic models for uniform response contractresponse.pyβ ok(), err(), err_denied_* helperssecurity.pyβ Allowlist and path validationprocess.pyβ Subprocess runner
tools/β Tool modules per domain:discovery.py,filesystem.py,logs.py,systemd.pypython_exec.py,wordpress.py,cron_tools.py,ops.py
All tools return a uniform response contract: {success, data, error, meta}.
βοΈ Configuration
All configuration is done via config.json in the root of the MCP server directory (/opt/mcp/config.json).
Configuration Sections
Server Identification
server_type: "development" or "production"server_ip: IP address of the serverserver_name: Name for the MCP server
Server Listen (optional)
server.host: Bind address (default: "0.0.0.0")server.port: HTTP port (default: 8765)
Logging
logging.log_file: Path to log file
Limits
limits.max_bytes: Maximum file size for reading (default: 524288 = 512KB)limits.max_items: Maximum items in directory listings (default: 500)
Python Sandbox
python.bin: Path to Python interpreter (must be in venv)directories.sandbox_cwd: Working directory for Python sandbox
Directory Whitelists
directories.allowed_read: Directories from which files can be readdirectories.allowed_log: Directories where log files can be readdirectories.allowed_write: Directories where write operations are allowed
Services
services.whitelist: List of service names that can be managed
WordPress
wordpress.allowed_sites: Absolute paths to WordPress rootswordpress.bin_candidates: Possible locations for WP-CLI binarywordpress.log_candidates: Possible locations for WordPress debug logs
Important: After changes to config.json, the service must be restarted:
sudo systemctl restart mcp-linux-tools.serviceπ SECURITY OVERVIEW
LINUX SERVER Tools with limited write operations:
β WHAT IS ALLOWED:
READ Files (in allowed directories)
VIEW Logs (system logs)
CHECK Service STATUS and RESTART (only whitelisted services)
EXECUTE Python CODE (sandboxed, no network, 8s timeout)
MANAGE Cron JOBS (only within MCP-managed section)
β WHAT IS NOT ALLOWED:
Access to arbitrary directories (strict whitelisting)
Services STOP/START/ENABLE (only restart allowed)
Sudo/root operations
Python with network access
Modifying system crontab outside MCP section
π ALLOWED DIRECTORIES
Directory whitelists are configured in config.json under directories.
Read Access (allowed_read):
Default: /var/log, /etc, /tmp, /opt/, /root/scripts, /var/www
Log Access (allowed_log):
Default: /var/log, /tmp, /var/www
Write Access (allowed_write):
Default: /var/www, /opt/
Note: All directory paths are configurable via config.json. Changes require a service restart.
π οΈ ALLOWED SERVICES (SERVICE_WHITELIST)
The service whitelist is configured in config.json under services.whitelist. Only services in this list can be checked or restarted.
Default whitelist (as configured in config.json):
apache2- Apache webserverphp8.4-fpm- PHP FastCGI Process Managerpostfix- Mail serveropendkim- DomainKeys email authenticationsshd- SSH daemondocker- Container runtimememcached- Memory cache daemonpostgresql- PostgreSQL database serverodoo- Odoo ERP system
Note: Service names may vary by distribution. Use get_service_whitelist() to query the active whitelist.
π TOOL CATEGORIES
1οΈβ£ METADATA & DISCOVERY (Read-Only)
get_server_info()- Server identification (type, IP, name)get_service_whitelist()- List of manageable servicesget_wp_allowed_sites()- List of allowed WordPress sites
2οΈβ£ FILE OPERATIONS
list_dir(path, pattern, include_files, include_dirs, max_items)- Directory listing (Read-Only)read_file(path, max_bytes)- Read file (max 512KB, Read-Only)head(path, n)- First N lines (Read-Only)tail(path, n)- Last N lines (for logs, Read-Only)log_tail(path, n)- Alias for tail (clearer for logs, Read-Only)create_directory(path, owner, group, mode, parents)- Create directory β οΈ (only /var/www and /opt/)chmod_file(path, mode)- Change file permissions β οΈ (only /var/www and /opt/)chown_path(path, owner, group)- Change owner β οΈ (only /var/www and /opt/)
3οΈβ£ SYSTEM SERVICES
service_status(name)- Check status (Read-Only)reload_service(name)- Reload service viasystemctl reload(preferred action, low impact)restart_service(name, force_restart)- Service modification: default is reload, useforce_restart=Truefor full restart β οΈ (Live impact!)
4οΈβ£ PYTHON EXECUTION
python_run(code)- Sandboxed Python (no network, 8s timeout)
5οΈβ£ CRON MANAGEMENT
cron_list()- View crontab (Read-Only)cron_add(job_id, schedule, command)- Add job β οΈ (Live impact!)cron_remove(job_id)- Remove job β οΈ (Live impact!)cron_enable(job_id, enabled)- Enable/disable job β οΈ (Live impact!)cron_next_runs(schedule, n)- Validate schedule (Read-Only)
6οΈβ£ WORDPRESS OPERATIONS
wp_cli(site_path, args, as_www_data)- WP-CLI runner for allowed siteswp_cache_flush(site_path, as_www_data)- WordPress cache flushwp_plugin_list(site_path, as_www_data)- List all plugins (JSON)wp_user_list(site_path, as_www_data)- List all users (JSON)log_pick_path()- Find WordPress debug log pathlog_tail_ai(n)- Tail WP-log filtered on 'ai-translate:'log_tail_flow(n)- Tail WP-log filtered on mapping-flow eventslog_tail_keywords(keywords, n)- Tail WP-log filtered on keywords
7οΈβ£ DATABASE OPERATIONS
mysql_query(query, database)- Execute MySQL query (Read-Only, dangerous queries blocked)
8οΈβ£ NETWORK OPERATIONS
ping_host(host, count)- Test network connectivity (Read-Only)
9οΈβ£ GIT OPERATIONS
git_command(path, command)- Execute Git commands (only safe commands, no push/force)
π SYSTEM COMMANDS
execute_shell_command(command, user)- Execute shell command β οΈ (Live impact!)
π‘ USAGE EXAMPLES
Server Info:
{"tool": "get_server_info", "args": {}}Service Whitelist:
{"tool": "get_service_whitelist", "args": {}}Service Status:
{"tool": "service_status", "args": {
"name": "nginx"
}}Restart Service:
{"tool": "restart_service", "args": {
"name": "mysql"
}}View Log File:
{"tool": "log_tail", "args": {
"path": "/var/log/nginx/error.log",
"n": 100
}}Execute Python:
{"tool": "python_run", "args": {
"code": "import sys; print(sys.version)"
}}WordPress Cache Flush:
{"tool": "wp_cache_flush", "args": {
"site_path": "/var/www/netcare.nl"
}}WordPress Plugin List:
{"tool": "wp_plugin_list", "args": {
"site_path": "/var/www/netcare.nl"
}}MySQL Query:
{"tool": "mysql_query", "args": {
"query": "SHOW DATABASES;",
"database": ""
}}Network Ping:
{"tool": "ping_host", "args": {
"host": "8.8.8.8",
"count": 4
}}Git Status:
{"tool": "git_command", "args": {
"path": "/var/www/example",
"command": "status"
}}Add Cron Job:
{"tool": "cron_add", "args": {
"job_id": "backup_daily",
"schedule": "0 3 * * *",
"command": "/usr/bin/backup.sh"
}}β οΈ IMPORTANT NOTES FOR LLMs
Read-Only Default: Most tools are read-only. Write operations are limited to:
reload_service()/restart_service()- Service reload/restartcron_add/remove/enable()- Cron modificationscreate_directory()- Create directory (only /var/www and /opt/)chmod_file()- Change file permissions (only /var/www and /opt/)chown_path()- Change owner (only /var/www and /opt/)execute_shell_command()- Shell commands (use with caution!)
Whitelisting: Everything is whitelisted. Tools return "Denied" if you work outside the whitelist.
Service Names: Different distributions use different service names. For example:
DNS:
systemd-resolved,bind9, ornamedDHCP:
isc-dhcp-serverordhcpdMySQL:
mysql,mariadb, ormysqldSMB:
smbdorsamba
Security First:
No blind
rm -rfpossibleNo arbitrary file writes
Python is sandboxed
Cron commands must use absolute paths
Error Handling β Uniform response contract
{success, data, error, meta}:success=true: data contains result, error is nullsuccess=false: error contains{code, message, hint}, data is nullError codes: DENIED_PATH, DENIED_SERVICE, DENIED_SITE, INVALID_INPUT, COMMAND_BLOCKED, NOT_FOUND, TIMEOUT, etc.
meta: server_type, server_ip, server_name
Return Types:
Strings for simple output
Dicts for structured data (Python, MySQL, etc.)
Lists for directories and cron schedules
π― BEST PRACTICES
Server identification: Use
get_server_info()to verify which server you're working onCheck whitelists first: Call
get_service_whitelist()before managing servicesRead-only first: Check status/logs before restarting services
Validate cron schedules: Use
cron_next_runs()to validate schedulesService names: Check which service name is used on the system
Error handling: Always check for "Denied" or {"error": ...} in responses
Log locations: Use
list_dir()to explore log directories before reading logsConfig changes: Always restart the service after changes to
config.json
π TESTED & VERIFIED
All tools have been tested and work correctly: β Service status and restart functionality β Log file reading β Python 3.13 execution (sandboxed) β Cron schedule validation β File operations (read-only) β Directory listing
Last Updated: 2026-03-03
Server: Linux (generic)
Environment: Production/Development
Configuration: Via config.json (no hardcoded values)
Architecture: Modular (server.py entrypoint, core/, tools/)
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/gerard-kanters/mcp-linux-tools'
If you have feedback or need assistance with the MCP directory API, please join our Discord server