Rclone lsjson as www-data (from php-script) - how to get permissions?

Hi Forum,

I try to get a directory output into my SQL-database directly invoked by a php-page.
Since the php-page is running on a Ubuntu-LAMP web-server the user is: "www-data" and does not has sufficient permission to operate "rclone lsjson $remotename:$path"
Is there a way to realize what is needed for me? A personalized "config" or "service file" for www-data.(?)
Read-Only and only lsjson output would be sufficient for my task.

BTW: rclone does exactly what is needed on the Ubuntu shell as root.

(About security concerns: The php-page is in a password protected area.)

What is the problem you are having with rclone?

rclone lsjson command can not be executed from php-script (webpage) (user: www-data) by default.

What is your rclone version (output from rclone version)

rclone v1.51.0 - os/arch: linux/amd64 - go version: go1.13.7

Which OS you are using and how many bits (eg Windows 7, 64 bit)

Ubuntu 18.04 php 7, 64bit

Which cloud storage system are you using? (eg Google Drive)


The command you were trying to run (eg rclone copy /tmp remote:tmp)

in my PHP script I use:
system("rclone lsjson $remotename:$fullpathtoexpenses > $jsonimportfile");
and later
$strJsonFileContents = file_get_contents("$jsonimportfile");

A log from the command with the -vv flag (eg output from rclone -vv copy /tmp remote:tmp)

Permission denied

Can you run the command without the python and does it work?

Hi Animosity.
Yes the command (rclone lsjson mydrivename:my/path > /tmp/some.json) works as expected on the shell-console and using loginuser "root".
BTW: not relevant for the described permission behavior: But I am using mysql - not python.

Sorry as I meant php as that's your script above.

If it works on the command line but not in the php you have, what user are you using for that? Do you need to give it the full path in the php?

The php script with the rclone ls command is invoked by a web-page. So the user is the standard web-daemon. In my environment, it is www-data (other common users for web-servers are: wwwrun, httpd, etc.).
All paths are correct - I do not get "file not found" but a permission error. I also could run " rclone version" from inside my php-script which brings the output: "

rclone v1.51.0 - os/arch: linux/amd64 - go version: go1.13.7

" in the HTML part of my php page and therefore in my browser window.

If you get a permission denied, you'd have to troubleshoot what's going on via php as that's not really a rclone thing.

I'd turn on php debugging and step through and see where the issue is since it runs fine from the command line.

It'll probably be easier to just run test with

su - www-data -c 'rclone cmd'

Is the permission denied on write/read to the config file? Can you post the full -vv debug log?

It could also be on your redirection in the php itself.

su - www-data -c 'rclone cmd' will not work since www-data is the http daemon account - this is a system account with no login.

rclone with -vv (run as root on the console) does not show many debug-details - maybe because there is no issue with this cmd or user ;-). See below for the full output.

But you are right the accessibility of the config file might be the problem. It can not be accessed by user "www-data". How can I point to another config file as a parameter attached to the rclone command? e.g. rclone cmd --config=“/path/to/rclone-for-wwwdata.conf” (found something like this here in the forum) - does this work?

And if yes. There are almost no details in my config file for root except the access-token. Can I place something like read-only in the config-file? I found admins in this forum discussing about a "service-file" with more details. But I could not find a helpful documentation.

Here the full output of rclone lsd -vv:

2020/04/23 15:43:19 DEBUG : rclone: Version "v1.51.0" starting with parameters ["rclone" "lsd" "2ce-onedrive:" "-vv"]
2020/04/23 15:43:19 DEBUG : Using config file from "/root/.config/rclone/rclone.conf"
-1 2020-04-22 19:07:30 11 B2E
-1 2020-03-06 15:33:59 0 Bilder
-1 2020-03-06 15:34:01 0 Dokumente
2020/04/23 15:43:20 DEBUG : 6 go routines active
2020/04/23 15:43:20 DEBUG : rclone: Version "v1.51.0" finishing with parameters ["rclone" "lsd" "2ce-onedrive:" "-vv"]

--config string Config file. (default "/home/xxxx/.rclone.conf")

Yes that works

Do you mean to make the remote read only to your calling php? I don't think so and im not familiar with one-drive. I know on google drives you can create a service account and grant only read on things.

You can use an environment variable:


You can use a --config and point it to the file you want to use.

Ok. rclone can point to another config file location. Good.
This helps a little (for debugging) - but for security reasons I try to avoid to give the web-user: "wwwdata" full access-permissions to rclone (and the main config) and therefore to the remote filesystem.
An alternative config-file or a 2nd config file with some possible restrictions - e.g. "read only" or "chain client to directory", would be what I need.
Since this seems not be possible on the rclone side(?) I try to find a way with OneDrive.

Onedrive also offers read-only access to clients but I do not know how to implement this in the config file. Still investigating the manuals (starting here: https://rclone.org/onedrive/) and solutions in the internet. As soon I found a way I will post here.
Maybe the "Env Var: RCLONE_ONEDRIVE_CLIENT_ID" is good starting point.

I appreciate any hint or solution from one of the rclone experts..... Thank you.

rclone just uses what's available from the user. I'm not as familiar with OneDrive, but with Google Drive, you'd create a user with read only access to what you want and rclone would use that user. If the same thing applies, you'd make a read only user and use that for www-data.

I suppose you could run a rclone serve webav/sftp/etc on the loopback with a read-only flag as another user (protected user). Then in your php you proxy access through the serve via rclone rather than accessing OneDrive directly. It does add another layer though.

In Google drive you'd set the scope to read only.

Rclone currently requests these scopes

Scopes:       []string{"Files.Read", "Files.ReadWrite", "Files.Read.All", "Files.ReadWrite.All", "offline_access", "Sites.Read.All"},

But there isn't a way to configure them at the moment.

in Onedrive/ Azure it seems one has the same options - as described from another forum user here: Doubt about getting your own Client ID and Key for onedrive
At this point I try to reduce access permissions in Onedrive/Azure to be able to offer a less "open" rclone config to www-data.

1 Like

Wow. This is too much for me and for the rather simple task to redirect a directory content into a text file :wink: But at the end a good approach. I hope to find something more simple....

My final solution is not perfect but works for me.
Maybe somebody else finds it helpful.
If you only need to generate (simple) directory (file) listings (e.g. by cmd: rclone lsjson...) which you want to import into SQL by php-script and invoked or accessed via a browser... and you also face permission or security issues you could do the following:

  1. let the php script generate a log or tmp file as the "trigger"
  2. execute the needed rclone command - triggered by incron or similar additional software (http://inotify.aiken.cz/?section=incron&page=why&lang=en) - can be installed by apt-get under Ubuntu
1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.