Impossible to grant elevated privileges | Friends of the Crustacean 🦞🤝 | Page 1

robust crown Feb 20, 2026, 2:31 PM

#

I have openclaw running in a docker container on my VPS. I've tried editing the docker-compose.yaml for the container to run as root, I've tried editing openclaw.json to include elevated privileges, I have tried /elevate full in the chat in the webui... I have changed the syntax in a myriad of different ways but I cannot seem to give elevated privileges to my clawdbot. Any idea?

root@THE-BRAIN:~/openclaw# cat docker-compose.yml
services:
openclaw-gateway:
build: .
image: ${OPENCLAW_IMAGE:-openclaw:local}
privileged: true
user: "0:0"
environment:
HOME: /root
TERM: xterm-256color
OPENCLAW_GATEWAY_TOKEN: ${OPENCLAW_GATEWAY_TOKEN}
OPENCLAW_TOOLS_ELEVATED_ENABLED: true
OPENCLAW_TOOLS_ELEVATED_ALLOW_FROM: true
OPENCLAW_TOOLS_EXEC_ENABLED: true
CLAUDE_AI_SESSION_KEY: ${CLAUDE_AI_SESSION_KEY}
CLAUDE_WEB_SESSION_KEY: ${CLAUDE_WEB_SESSION_KEY}
CLAUDE_WEB_COOKIE: ${CLAUDE_WEB_COOKIE}
volumes:
- ${OPENCLAW_CONFIG_DIR}:/home/node/.openclaw
- ${OPENCLAW_WORKSPACE_DIR}:/home/node/.openclaw/workspace
ports:
- "127.0.0.1:${OPENCLAW_GATEWAY_PORT:-18789}:18789"
- "127.0.0.1:${OPENCLAW_BRIDGE_PORT:-18790}:18790"
init: true
restart: unless-stopped
command:
[
"node",
"dist/index.js",
"gateway",
"--bind",
"lan",
"--port",
"18789",
"--allow-unconfigured",
]

root@THE-BRAIN:~/openclaw# cat /root/.openclaw/openclaw.json
.....
},
"tools": {
"elevated": {
"enabled": true,
"allowFrom": {
"webchat": ["*"]
}
}
}
}

granite estuaryBOT Feb 20, 2026, 2:31 PM

#

To help others find answers, you can mark your question as solved via Right click solution message -> Apps -> ✅ Mark Solution

spice ploverBOT Feb 20, 2026, 2:40 PM

#

“Elevated” in OpenClaw is not “run the container as root” — it’s a gateway-side allowlist that decides whether /elevated … is allowed, and (when sandboxed) whether exec runs on the gateway host + optionally skips approvals. Docs: https://docs.openclaw.ai/tools/elevated

In your docker-compose there’s a big config-path mismatch that usually causes this exact “why is it ignoring my tools.elevated?” feeling:

You set HOME: /root (so default config path becomes /root/.openclaw/openclaw.json inside the container)

But you mount your state dir to /home/node/.openclaw:

volumes:
  - ${OPENCLAW_CONFIG_DIR}:/home/node/.openclaw

So the gateway is very likely not reading the file you’re editing.

Fix the config path first (pick one)

Option A (simplest): make HOME match the mount

environment:

#

  HOME: /home/node
volumes:
  - ${OPENCLAW_CONFIG_DIR}:/home/node/.openclaw

Option B: mount the state dir where HOME points

volumes:
  - ${OPENCLAW_CONFIG_DIR}:/root/.openclaw

Option C: explicitly pin the config file path

environment:
  OPENCLAW_CONFIG_PATH: /home/node/.openclaw/openclaw.json

#

Config location doc: https://docs.openclaw.ai/help/faq#what-format-is-the-config-where-is-it

Also: remove this env var (it’s not a valid shape)

You have:

OPENCLAW_TOOLS_ELEVATED_ALLOW_FROM: true

But tools.elevated.allowFrom must be an object (per-provider), e.g.:

tools: {
  elevated: {
    enabled: true,
    allowFrom: { webchat: ["session:demo"] },
  },
}

(Example: https://docs.openclaw.ai/gateway/configuration-examples)

#Impossible to grant elevated privileges

Fix the config path first (pick one)

Also: remove this env var (it’s not a valid shape)