0

I'm automating file transfer via SFTP and got stuck when changing file ownership in the remote host. The problem is that SFTP's chown and chgrp commands only accept numeric uids/gids, which are not known beforehand. The expected scenario for my automation is for the user to inform files destinations and string usernames and groupnames.

Is there a way to query the numeric uid/gid from the string user/groupname in the remote host through the SFTP session?

An easy workaround would be to open an additional SSH session and use regular shell's chown and chgrp commands. But the company I work in uses timed tokens for authentication and, in short, an additional session means additional 30 seconds per host, a non-starter for batch installations.
A harder one would be to ls -l directories, maybe files, to find one with the needed credentials, then ls -n to get the numeric version. But this has the risks of taking too long, findind no suitable directories/files or even getting stuck if a directory has too much files for ls to work...

Emerson Prado
  • 35
  • 5

2 Answers2

2

It's not possible.

At least not with the widely used SFTP version 3.

Martin Prikryl
  • 21,071
  • 9
  • 77
  • 157
1

An easy workaround would be to open an additional SSH session and use regular shell's chown and chgrp commands. But the company I work in uses timed tokens for authentication and, in short, an additional session means additional 30 seconds per host, a non-starter for batch installations.

With -o ControlMaster= and -o ControlPath= you can share multiple sessions over a single network connection (see man 5 ssh_config). Short options for ssh are -M and -S respectively (see man 1 ssh). This approach requires you to authenticate once. sftp from OpenSSH supports -o and can share a connection with ssh.

The procedure:

  1. ssh -Nf -o ControlMaster=yes -o ControlPath=… user@server. The master connection. Here you authenticate before the connection goes to the background.

  2. ssh -o ControlPath=… … and/or sftp -o ControlPath=… … and/or even sshfs (see below). As long as you stick to the chosen control socket (ControlPath) and the master connection works, these commands will use it. Have fun.

    E.g. you can run uid="$(ssh … "id -u someuser")" and use $uid later in your script.

  3. Finally ssh -o ControlPath=… -O exit … to terminate the master connection.

My other answers that may be useful:

Martin Prikryl
  • 21,071
  • 9
  • 77
  • 157
Kamil Maciorowski
  • 69,815
  • 22
  • 136
  • 202
  • Great, @kamil-maciorowski ! It **almost** worked here. The shared connections indeed don't ask for password, but they ask for the token. So, despite SSH shared connections did work, I still have to wait 30s for opening shared connections. SFTP didn't work - it requires the token to be sent to open the master connection, and invalidate new tokens for shared sessions. Is there a way to make the master connection keep the token valid, instead of asking again for each shared connection? – Emerson Prado Mar 18 '21 at 18:29
  • One thing I forgot to mention that I believe impacts in this solution: besides two-factor auth, the company also uses a jump server with a restricted shell. This jump server asks for the tokens, and it happens to do so in every connection, either master or shared – Emerson Prado Mar 18 '21 at 18:35
  • 1
    @EmersonPrado If you edit your question and reveal how you connect using the jump server then *maybe* something can be improved. However this is moving towards "issues specific to corporate IT support and networks" – explicitly off-topic here. The point is the company set some security up and the right thing is to work with the IT guys, not against them. You should ask for their assistance (and remember your root problem is with uid/gid, not with tokens, start with this). Trying to circumvent their setup may hurt your career, even if the solution technically works and your intentions are good. – Kamil Maciorowski Mar 18 '21 at 18:55
  • Yes, this question aims the best way to query uid and gid in SFTP transfers. I hoped SFTP could do it, but it turns out I need two sessions per server, which is another issue. BTW, We use Google TOTP Google two-factor auth, but I don't think I can reveal the final host access scheme, so I tested a master SSH connection to the jump server itself, taking the final host out of the equation. The shared sessions didn't work either - they always ask for a token. I guess shared connections + TOTP 2FA belong in a different question. But thanks a lot! – Emerson Prado Mar 19 '21 at 21:01