Rclone encrypted mount reading files outside the directory?

m7eesn · February 16, 2023, 6:15pm

What is the problem you are having with rclone?

I have an encrypted google drive backend, it's working perfectly for god knows how long, i upgraded recently to v1.61.1, and i begin to receive unexpected error, log is filled with something like

Encrypted drive 'gnocache:': ChangeNotify was unable to decrypt "Scene Naming (Responses)": illegal base32 data at input byte 5

It's only one file that shows the problem and this file isn't even part of the /gdrive/encrypt, i suspect because it's reading on changeNotify it's reading all files that are part of the google drive not just the ones namespaced under /gdrive/encrypt. because i did lsjson gnocache: --recursive on both the encrypted and unencrypted endpoint. and the reported filename isn't there, however when i go directly to google drive, and search for the file it's a file that was shared with me and it's frequently being updated as such, i think rclone is listening on all files not just what it's supposed to and ignore the others. while i think it's not problem it's might leak things which aren't supposed to. in my case it's non issues as i don't really use the drive much except for rclone.

Run the command 'rclone version' and share the full output of the command.

rclone v1.61.1

os/version: ubuntu 22.04 (64 bit)
os/kernel: 5.15.0-60-generic (x86_64)
os/type: linux
os/arch: amd64
go/version: go1.19.4
go/linking: static
go/tags: none

Which cloud storage system are you using? (eg Google Drive)

Google Drive

The command you were trying to run (eg `rclone copy /tmp remote:tmp`)

/usr/bin/rclone mount gnocache: /mnt/google --allow-other --dir-cache-time 1000h --log-level NOTICE --syslog --poll-interval 15s --user-agent random_agent --rc --rc-addr=127.0.0.1:8070 --rc-no-auth --cache-dir=/rcache --cache-db-purge --vfs-cache-mode full --vfs-cache-max-size 50G --vfs-cache-max-age 6h --vfs-cache-poll-interval 5m --drive-pacer-min-sleep 10ms --drive-pacer-burst 1000 --attr-timeout 5000h --vfs-read-chunk-size 1M --bwlimit-file 32M

The rclone config contents with secrets removed.

[gdrive]
type = drive
scope = drive
token = snip
client_id = snip
client_secret = snip
root_folder_id = snip

[gnocache]
type = crypt
remote = gdrive:/gdrive/crypt
filename_encryption = standard
directory_name_encryption = true
password = snip
password2 = snip

A log from the command with the `-vv` flag

Feb 15 09:13:46 main rclone[1293]: Encrypted drive 'gnocache:': ChangeNotify was unable to decrypt "Scene Naming (Responses)": illegal base32 data at input byte 5
Feb 15 15:48:46 main rclone[1293]: Encrypted drive 'gnocache:': ChangeNotify was unable to decrypt "Scene Naming (Responses)": illegal base32 data at input byte 5
Feb 15 16:48:31 main rclone[1293]: Encrypted drive 'gnocache:': ChangeNotify was unable to decrypt "Scene Naming (Responses)": illegal base32 data at input byte 5
Feb 15 17:03:01 main rclone[1293]: Encrypted drive 'gnocache:': ChangeNotify was unable to decrypt "Scene Naming (Responses)": illegal base32 data at input byte 5
Feb 15 17:06:01 main rclone[1293]: Encrypted drive 'gnocache:': ChangeNotify was unable to decrypt "Scene Naming (Responses)": illegal base32 data at input byte 5
Feb 15 17:13:46 main rclone[1293]: Encrypted drive 'gnocache:': ChangeNotify was unable to decrypt "Scene Naming (Responses)": illegal base32 data at input byte 5
Feb 15 22:50:46 main rclone[1293]: Encrypted drive 'gnocache:': ChangeNotify was unable to decrypt "Scene Naming (Responses)": illegal base32 data at input byte 5
Feb 16 02:28:01 main rclone[1293]: Encrypted drive 'gnocache:': ChangeNotify was unable to decrypt "Scene Naming (Responses)": illegal base32 data at input byte 5
Feb 16 18:20:31 main rclone[1293]: Encrypted drive 'gnocache:': ChangeNotify was unable to decrypt "Scene Naming (Responses)": illegal base32 data at input byte 5
Feb 16 18:31:46 main rclone[1293]: Encrypted drive 'gnocache:': ChangeNotify was unable to decrypt "Scene Naming (Responses)": illegal base32 data at input byte 5

Animosity022 · February 16, 2023, 6:19pm

Sorry as I'm trying to follow.

Are you mixing non encrypted and crypted content in that path?

rclone ls gnocache: -vv

Works without any errors? Not asking to share the whole output but if there are no errors, the mount wouldn't notice anything either as it's only from that path down.

m7eesn · February 16, 2023, 6:32pm

No. There is no un encrypted files inside gnocache: as i stated in my post i did lsjson on both encryped and unencryped endpoint and doesn't have the file. The error in log just for that file whenever it's updated by outside sources which is shared file and it's not in the gnocache path at all.

mattzab · February 16, 2023, 6:49pm

I've been seeing this error for years. It doesn't seem to have any impact on anything, and nobody seems to know what causes it. I've noticed that the error is only on crypt mounts, and it always mentions files that have been shared to you. It may also mention files that you've shared with others, but I haven't noticed that to be the case at all.

Animosity022 · February 16, 2023, 7:11pm

So for a use case:

GD remote:

noncrypt\testfile.txt
crypt\something.txt

and you'd want me to share testfile.txt
mount the crypt remote
change the testfile.txt

and I'd get my scenario?

m7eesn · February 16, 2023, 7:56pm

Here is how i think you can trigger the error, have your google drive mounted, get someone to share a file with you. it's not actually in your drive you only find it in shared with me page in google drive website, once that done, and you see it from your drive. have the person commit changes to that file wait a abit for the ChangeNotiy to trigger the error will trigger in your google drive mount, i suspect the way google change notify is by sending all events regardless of the path it's in, and since gdrive backend in config doesn't have a path, it listens to all changeNotifiy events thus it will delegate them to gnocache and since the encrypt file only deal with encrypted file names, it doesn't know what to do with it and thus the error.

At least that what appears to me.

Animosity022 · February 16, 2023, 8:18pm

That was actually super easy to reproduce:

2023/02/16 15:14:41 DEBUG : Google drive root 'crypt': Checking for changes on remote
2023/02/16 15:14:41 NOTICE: Encrypted drive 'gcrypt:': ChangeNotify was unable to decrypt "TestDoc": not a multiple of blocksize

Mounted a crypt on Google Drive
Shared a file with the mounted user

I'd imagine that's a bug on the API if I had to guess as it's only with shared files.

I tried with adding a local / non shared with me file and that did not reproduce the issue specifically as it noted the same shared with me file again.

Neat - Love Google

I'd say you can file a bug report as we have the clear steps to reproduce it.

system · March 18, 2023, 8:19pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.