Security concern with config on the fly

What is the problem you are having with rclone?

This is a continuation of the post on April (it's closed by the system so I had to open a new one): https://forum.rclone.org/t/auto-config-file-write/30032

I want to use rclone to mount a Google Drive with a script stored on a USB disk which will be removed immediately after the script is executed.
With help of ncw and asdffdsa, I found that making the config on the fly could be the solution.

I tried to mount my Google Drive this way and everything works fine.

While before I am going to use this method, I have some security concerns.
To my understanding, it's going to expose some sensitive info, e.g. client secret and sa credential, to shell environment variable.

I am not a coder so I don't have comprehensive understanding of how shell works.
Therefore, could anyone tell me would this really causes security issues, and is there any way to fix/improve this?

Thanks in advance!

Run the command 'rclone version' and share the full output of the command.

rclone v1.58.1
- os/version: Microsoft Windows 10 Pro for Workstations 21H2 (64 bit)
- os/kernel: 10.0.19044.1682 (x86_64)
- os/type: windows
- os/arch: amd64
- go/version: go1.17.9
- go/linking: dynamic
- go/tags: cmount

Which cloud storage system are you using?

Google Drive

The command you were trying to run (eg rclone copy /tmp remote:tmp)

@set RCLONE_CONFIG_GDONFLY_TYPE=drive
@set RCLONE_CONFIG_GDONFLY_SCOPE=drive

@set RCLONE_CONFIG_GDONFLY_CLIENT_ID=apiid
@set RCLONE_CONFIG_GDONFLY_CLIENT_SECRET=apisecret

@set RCLONE_CONFIG_GDONFLY_ROOT_FOLDER_ID=folderid

@set RCLONE_CONFIG_GDONFLY_SERVICE_ACCOUNT_CREDENTIALS={sascredentials}

rclone mount gdonfly: Q: -vv

that is going to be a problem, as it is easy to view the environment variables of any process.

what is wrong with using an encrypted rclone config file and manually typing in a password when running rclone mount

On Linux you need to be root to read other processes environment variables.

You can define the remote all on the command line, but that will be visible to other processes too.

Rclone could delete the environment variables once it has read then I suppose...

I made a remote with environment variables and the variables remain there after the remote is created, just like asdffdsa's case.
You mentioned, "Rclone could delete the environment variables once it has read then I suppose". Could you tell me how to do this, maybe add certain flags or...?
By the way, is it possible to delete environment variables by another program (windows and linux - I mainly use debian)?

currently, rclone does not do that, ncw would have to modify the source code.
and i think that is a good idea, perhaps yet another new flag, --delete-env-var

your example uses windows, and for that, the answer is no.

why not use an encrypted rclone config file?
when you run the script, type in the rclone password once.

Thank you for your explanation!

I would also support the idea to add a feature of deleting the environment variables.

Probably I should use an encrypted rclone config file.
But I still have two questions.
First, since I am using a service account but not a token, rclone is not going to update the config file automatically, is it?
Second, if it's on linux, e.g. debian, is it possible to to delete environment variables by another program?

well, your remote is a bit confusing; using both service account file AND client_id+client_secret.
no need for both, just use the service account file and remove the client_id+client_secret

i think this has been discussed in the forum a few times.
as far as i know, the answer is rclone is not going to update the config file.

i do not know.

Thanks for your notice!

I don't know much about the service account and client id+secret. I am going to follow your advice but could you explain it further? I am curious about the details behind.

in that other topic, https://forum.rclone.org/t/auto-config-file-write/30032
i suggested to use rclone config create

  1. does not use env variables.
  2. does not use config file.

for example,

rclone config create gdonfly drive scope=drive root_folder_id=123xyz service_account_file=.\sa.json
rclone mount gdonfly: q: -vv