Does rclone limit cloud account access to just cloud storage?

What is the problem you are having with rclone?

Security related question please:

In the case of a bad actor hacking into a "live" rclone session (i.e. someone taking control of Linux while Rclone is mounted to OneDrive and/or Google Drive) or theft of an Rclone Config file without password protection....

  1. Would it be possible for the bad actor to access the associated account password for the cloud storage? (OneDrive and/or Google Drive)

  2. Separately - would the bad actor be able to gain access to the email account associated to the cloud storage? (OneDrive's and/or Google's Gmail)

Reason for asking:

  • I am trying to understand if the associated email accounts would remain safe, if a hacker somehow got control of a live rclone session or hacked password protected config file
  • I understand Rclone uses an access token to get access to cloud storage - but I am not clear if that access token would somehow allow a bad actor to also access other apps (e.g. email) that is connected to the cloud account

Thank you in advance

Run the command 'rclone version' and share the full output of the command.

rclone v1.61.1

  • os/version: ubuntu 22.04 (64 bit)
  • os/kernel: 5.15.0-1029-oracle (aarch64)
  • os/type: linux
  • os/arch: arm64
  • go/version: go1.19.4
  • go/linking: static
  • go/tags: none

Which cloud storage system are you using? (eg Google Drive)

OneDrive and Google Drive

The command you were trying to run (eg rclone copy /tmp remote:tmp)


The rclone config contents with secrets removed.


A log from the command with the -vv flag


no, rclone has no way to knowing the account password

no, rclone has no way to knowing the email password and 2FA seed.

with gmail, it has its own api. which rclone does not use

Thank you for the reply.

Just to be certain - with the Microsoft account, 2FA is not set up (and naturally, there is only 1 account/password to access all Microsoft services - OneDrive, emails etc). Does this change anything or is 2FA not required?

no, does not change anything.
rclone never knows your account/password, never has access to emails.
the token is only accessing files in onedrive/gdrive.

perfect thank you

you are welcome, and that was a good question.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.