Is there a security vulnerability for the Rclone API?

kizilcahmet98 · July 14, 2021, 10:34am

I've posted on the forum several times. Using rclone, I will backup very important, even vital data to GDrive. Doing this requires statistics.

You stated that I can get it with the

rclone copy local/path remote_name: -P --rc --rc-no-auth

code in the topics I opened before.

Although it has some shortcomings for my needs, it works.

My concern is can someone access these files without my permission? Please do not get it wrong. I really don't know enough about API logic. I would be very happy if you inform me.

Edit:

If there is something I need to do for security, can you tell me?

sweh · July 14, 2021, 11:02am

By using the --rc-no-auth flag you're allowing anyone on the same machine who can reach port localhost:5572 access to the API.

If you want to lock it down you can require username/password or TLS client certs to authenticate. See Remote Control / API for details.

marc123 · July 17, 2021, 11:58pm

Why not encrypting using crypt backend?

system · July 26, 2021, 6:30am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.