I try to get a directory output into my SQL-database directly invoked by a php-page.
Since the php-page is running on a Ubuntu-LAMP web-server the user is: "www-data" and does not has sufficient permission to operate "rclone lsjson $remotename:$path"
Is there a way to realize what is needed for me? A personalized "config" or "service file" for www-data.(?)
Read-Only and only lsjson output would be sufficient for my task.
BTW: rclone does exactly what is needed on the Ubuntu shell as root.
(About security concerns: The php-page is in a password protected area.)
What is the problem you are having with rclone?
rclone lsjson command can not be executed from php-script (webpage) (user: www-data) by default.
What is your rclone version (output from rclone version)
rclone v1.51.0 - os/arch: linux/amd64 - go version: go1.13.7
Which OS you are using and how many bits (eg Windows 7, 64 bit)
Ubuntu 18.04 php 7, 64bit
Which cloud storage system are you using? (eg Google Drive)
MS-OneDrive
The command you were trying to run (eg rclone copy /tmp remote:tmp)
in my PHP script I use:
system("rclone lsjson $remotename:$fullpathtoexpenses > $jsonimportfile");
...
and later
$strJsonFileContents = file_get_contents("$jsonimportfile");
...
A log from the command with the -vv flag (eg output from rclone -vv copy /tmp remote:tmp)
Hi Animosity.
Yes the command (rclone lsjson mydrivename:my/path > /tmp/some.json) works as expected on the shell-console and using loginuser "root".
BTW: not relevant for the described permission behavior: But I am using mysql - not python.
The php script with the rclone ls command is invoked by a web-page. So the user is the standard web-daemon. In my environment, it is www-data (other common users for web-servers are: wwwrun, httpd, etc.).
All paths are correct - I do not get "file not found" but a permission error. I also could run " rclone version" from inside my php-script which brings the output: "
rclone v1.51.0 - os/arch: linux/amd64 - go version: go1.13.7
" in the HTML part of my php page and therefore in my browser window.
su - www-data -c 'rclone cmd' will not work since www-data is the http daemon account - this is a system account with no login.
rclone with -vv (run as root on the console) does not show many debug-details - maybe because there is no issue with this cmd or user ;-). See below for the full output.
But you are right the accessibility of the config file might be the problem. It can not be accessed by user "www-data". How can I point to another config file as a parameter attached to the rclone command? e.g. rclone cmd --config=“/path/to/rclone-for-wwwdata.conf” (found something like this here in the forum) - does this work?
And if yes. There are almost no details in my config file for root except the access-token. Can I place something like read-only in the config-file? I found admins in this forum discussing about a "service-file" with more details. But I could not find a helpful documentation.
Here the full output of rclone lsd -vv:
2020/04/23 15:43:19 DEBUG : rclone: Version "v1.51.0" starting with parameters ["rclone" "lsd" "2ce-onedrive:" "-vv"]
2020/04/23 15:43:19 DEBUG : Using config file from "/root/.config/rclone/rclone.conf"
-1 2020-04-22 19:07:30 11 B2E
-1 2020-03-06 15:33:59 0 Bilder
-1 2020-03-06 15:34:01 0 Dokumente
2020/04/23 15:43:20 DEBUG : 6 go routines active
2020/04/23 15:43:20 DEBUG : rclone: Version "v1.51.0" finishing with parameters ["rclone" "lsd" "2ce-onedrive:" "-vv"]
Do you mean to make the remote read only to your calling php? I don't think so and im not familiar with one-drive. I know on google drives you can create a service account and grant only read on things.
Ok. rclone can point to another config file location. Good.
This helps a little (for debugging) - but for security reasons I try to avoid to give the web-user: "wwwdata" full access-permissions to rclone (and the main config) and therefore to the remote filesystem.
An alternative config-file or a 2nd config file with some possible restrictions - e.g. "read only" or "chain client to directory", would be what I need.
Since this seems not be possible on the rclone side(?) I try to find a way with OneDrive.
Onedrive also offers read-only access to clients but I do not know how to implement this in the config file. Still investigating the manuals (starting here: https://rclone.org/onedrive/) and solutions in the internet. As soon I found a way I will post here.
Maybe the "Env Var: RCLONE_ONEDRIVE_CLIENT_ID" is good starting point.
I appreciate any hint or solution from one of the rclone experts..... Thank you.
rclone just uses what's available from the user. I'm not as familiar with OneDrive, but with Google Drive, you'd create a user with read only access to what you want and rclone would use that user. If the same thing applies, you'd make a read only user and use that for www-data.
I suppose you could run a rclone serve webav/sftp/etc on the loopback with a read-only flag as another user (protected user). Then in your php you proxy access through the serve via rclone rather than accessing OneDrive directly. It does add another layer though.
in Onedrive/ Azure it seems one has the same options - as described from another forum user here: Doubt about getting your own Client ID and Key for onedrive
At this point I try to reduce access permissions in Onedrive/Azure to be able to offer a less "open" rclone config to www-data.
Wow. This is too much for me and for the rather simple task to redirect a directory content into a text file But at the end a good approach. I hope to find something more simple....
My final solution is not perfect but works for me.
Maybe somebody else finds it helpful.
If you only need to generate (simple) directory (file) listings (e.g. by cmd: rclone lsjson...) which you want to import into SQL by php-script and invoked or accessed via a browser... and you also face permission or security issues you could do the following:
let the php script generate a log or tmp file as the "trigger"
But at the end a good approach. I hope to find something more simple....