Provided by: globus-gridftp-server-progs_12.2-2_amd64 
NAME
globus-gridftp-server - The Globus GridFTP server daemon
SYNOPSIS
globus-gridftp-server OPTIONS
DESCRIPTION
The globus-gridftp-server program is a ftp server with support for GridFTP protocol
extensions, including strong authentication, parallel data transfers, and parallel data
layouts.
OPTIONS
The list below contains the command-line options for the server, and also the name of the
configuration file entry that implements that option. Note that any boolean option can be
negated on the command line by preceding the specified option with -no- or -n. example:
-no-cas or -nf.
Informational Options
-h,-help
Show usage information and exit.
This option can also be set in the configuration file as help. The default value of
this option is FALSE.
-hh,-longhelp
Show more usage information and exit.
This option can also be set in the configuration file as longhelp. The default value
of this option is FALSE.
-v,-version
Show version information for the server and exit.
This option can also be set in the configuration file as version. The default value of
this option is FALSE.
-V,-versions
Show version information for all loaded globus libraries and exit.
This option can also be set in the configuration file as versions. The default value
of this option is FALSE.
Modes of Operation
-i,-inetd
Run under an inetd service.
This option can also be set in the configuration file as inetd. The default value of
this option is FALSE.
-s,-daemon
Run as a daemon. All connections will fork off a new process and setuid if allowed.
This option can also be set in the configuration file as daemon. The default value of
this option is TRUE.
-S,-detach
Run as a background daemon detached from any controlling terminals.
This option can also be set in the configuration file as detach. The default value of
this option is FALSE.
-ssh
Run over a connected ssh session.
This option can also be set in the configuration file as ssh. The default value of
this option is FALSE.
-exec string
For statically compiled or non-GLOBUS_LOCATION standard binary locations, specify the
full path of the server binary here. Only needed when run in daemon mode.
This option can also be set in the configuration file as exec.
-chdir
Change directory when the server starts. This will change directory to the dir
specified by the chdir_to option.
This option can also be set in the configuration file as chdir. The default value of
this option is TRUE.
-chdir-to string
Directory to chdir to after starting. Will use / if not set. Note that this is the
directory of the process, not the client’s home directory.
This option can also be set in the configuration file as chdir_to.
-threads number
Enable threaded operation and set the number of threads. The default is 0, which is
non-threaded. When threading is required, a thread count of 1 or 2 should be
sufficient.
This option can also be set in the configuration file as threads.
-f,-fork
Server will fork for each new connection. Disabling this option is only recommended
when debugging. Note that non-forked servers running as root will only accept a single
connection, and then exit.
This option can also be set in the configuration file as fork. The default value of
this option is TRUE.
-1,-single
Exit after a single connection.
This option can also be set in the configuration file as single. The default value of
this option is FALSE.
-chroot-path string
Path to become the new root after authentication. This path must contain a valid
certificate structure, /etc/passwd, and /etc/group. The command
globus-gridftp-server-setup-chroot can help create a suitable directory structure.
This option can also be set in the configuration file as chroot_path.
Authentication, Authorization, and Security Options
-auth-level number
Add levels together to use more than one.
0 = Disables all authorization checks.
1 = Authorize identity.
2 = Authorize all file/resource accesses.
4 = Disable changing process uid to authenticated user (no setuid) -- DO NOT use this when process is started as root.
If not set uses level 2 for front ends and level 1 for data nodes. Note that levels 2 and 4 imply level 1 as well.
This option can also be set in the configuration file as auth_level.
-ipc-allow-from string
Only allow connections from these source ip addresses. Specify a comma separated list
of ip address fragments. A match is any ip address that starts with the specified
fragment. Example: 192.168.1. will match and allow a connection from 192.168.1.45.
Note that if this option is used any address not specifically allowed will be denied.
This option can also be set in the configuration file as ipc_allow_from.
-ipc-deny-from string
Deny connections from these source ip addresses. Specify a comma separated list of ip
address fragments. A match is any ip address that starts with the specified fragment.
Example: 192.168.2. will match and deny a connection from 192.168.2.45.
This option can also be set in the configuration file as ipc_deny_from.
-allow-from string
Only allow connections from these source ip addresses. Specify a comma separated list
of ip address fragments. A match is any ip address that starts with the specified
fragment. Example: 192.168.1. will match and allow a connection from 192.168.1.45.
Note that if this option is used any address not specifically allowed will be denied.
This option can also be set in the configuration file as allow_from.
-deny-from string
Deny connections from these source ip addresses. Specify a comma separated list of ip
address fragments. A match is any ip address that starts with the specified fragment.
Example: 192.168.2. will match and deny a connection from 192.168.2.45.
This option can also be set in the configuration file as deny_from.
-encrypt-data
Require encrypted data channels. This will cause an error and prevent all transfers in
which the client does not request an authenticated and encrypted data channel.
This option can also be set in the configuration file as encrypt_data. The default
value of this option is FALSE.
-si,-secure-ipc
Use GSI security on ipc channel.
This option can also be set in the configuration file as secure_ipc. The default value
of this option is TRUE.
-ia string,-ipc-auth-mode string
Set GSI authorization mode for the ipc connection. Options are: none, host, self or
subject:[subject].
This option can also be set in the configuration file as ipc_auth_mode. The default
value of this option is host.
-aa,-allow-anonymous
Allow clear text anonymous access. If server is running as root anonymous_user must
also be set. Disables ipc security.
This option can also be set in the configuration file as allow_anonymous. The default
value of this option is FALSE.
-anonymous-names-allowed string
Comma separated list of names to treat as anonymous users when allowing anonymous
access. If not set, the default names of anonymous and ftp will be allowed. Use * to
allow any username.
This option can also be set in the configuration file as anonymous_names_allowed.
-anonymous-user string
User to setuid to for an anonymous connection. Only applies when running as root.
This option can also be set in the configuration file as anonymous_user.
-anonymous-group string
Group to setgid to for an anonymous connection. If unset, the default group of
anonymous_user will be used.
This option can also be set in the configuration file as anonymous_group.
-sharing-dn string
Allow sharing when using the supplied DN. A client connected with these credentials
will be able to access any user for which sharing is enabled.
This option can also be set in the configuration file as sharing_dn.
-sharing-state-dir string
Full path to a directory that will contain files used by GridFTP to control sharing
access for individual local accounts. The special variables $HOME and $USER can be
used to create a dynamic path that is unique to each local account. This pathmust be
writable by the associated account. The default path is $HOME/.globus/sharing/. This
must refer to a path on the filesystem, not a path that is only accessible via a DSI
plugin.
This option can also be set in the configuration file as sharing_state_dir.
-sharing-control
Allow a local user account to control its own sharing access via special GridFTP
client commands. The user account must have filesystem write access to the sharing
state dir.
This option can also be set in the configuration file as sharing_control. The default
value of this option is TRUE.
-sharing-rp string
Sharing specific path restrictions. This completely replaces the normal path
restrictions (-rp) when an account is being shared by a sharing-dn login.Follows
normal path restriction semantics.
This option can also be set in the configuration file as sharing_rp.
-sharing-users-allow string
Comma separated list of usernames that are allowed to share unless matched in the user
deny lists. If this list is set, users that are not included will be denied unless
matched in the group allow list.
This option can also be set in the configuration file as sharing_users_allow.
-sharing-users-deny string
Comma separated list of usernames that are denied sharing even if matched in the user
or group allow lists.
This option can also be set in the configuration file as sharing_users_deny.
-sharing-groups-allow string
Comma separated list of groups whose members are allowed to share unless matched in
the user or group deny lists. If this list is set, groups that are not included will
be denied unless matched in the user allow list.
This option can also be set in the configuration file as sharing_groups_allow.
-sharing-groups-deny string
Comma separated list of groups whose members will be denied sharing unless matched in
the user allow list.
This option can also be set in the configuration file as sharing_groups_deny.
-allow-root
Allow clients to be mapped to the root account.
This option can also be set in the configuration file as allow_root. The default value
of this option is FALSE.
-allow-disabled-login
Do not check if a user’s system account is disabled before allowing login.
This option can also be set in the configuration file as allow_disabled_login. The
default value of this option is FALSE.
-password-file string
Enable clear text access and authenticate users against this /etc/passwd formatted
file.
This option can also be set in the configuration file as pw_file.
-connections-max number
Maximum concurrent connections allowed. Only applies when running in daemon mode.
Unlimited if not set.
This option can also be set in the configuration file as connections_max.
-connections-disabled
Disable all new connections. For daemon mode, issue a SIGHUP to the server process
after changing the config file in order to not affect ongoing connections.
This option can also be set in the configuration file as connections_disabled. The
default value of this option is FALSE.
-offline-msg string
Custom message to be displayed to clients when the server is offline via the
connections_disabled or connections_max = 0 options.
This option can also be set in the configuration file as offline_msg.
-disable-command-list string
A comma separated list of client commands that will be disabled.
This option can also be set in the configuration file as disable_command_list.
-authz-callouts,-cas
Enable the GSI authorization callout framework, for callouts such as CAS.
This option can also be set in the configuration file as cas. The default value of
this option is TRUE.
-use-home-dirs
Set the starting directory to the authenticated users home dir. Disabling this is the
same as setting -home-dir /.
This option can also be set in the configuration file as use_home_dirs. The default
value of this option is TRUE.
-home-dir string
Set a path to override the system defined home/starting directory for authenticated
users. The special variable strings $USER and $HOME may be used. The authenticated
username will be substituted for $USER, and the user’s real home dir will be
substituted for $HOME. Be sure to escape the $ character if using these on the command
line.
This option can also be set in the configuration file as home_dir.
-rp string,-restrict-paths string
A comma separated list of full paths that clients may access. Each path may be
prefixed by R and/or W, denoting read or write access, otherwise full access is
granted. If a given path is a directory, all contents and subdirectories will be given
the same access. Order of paths does not matter — the permissions on the longest
matching path will apply. The special character ~ will be replaced by the
authenticated user’s home directory, or the -home-dir option, if used. Note that if
the home directory is not accessible, \~ will be set to /. By default all paths are
allowed, and access control is handled by the OS. In a striped or split process
configuration, this should be set on both the frontend and data nodes.
This option can also be set in the configuration file as restrict_paths.
-rp-follow-symlinks
Do not verify that a symlink points to an allowed path before following. By default,
symlinks are followed only when they point to an allowed path. By enabling this
option, symlinks will be followed even if they point to a path that is otherwise
restricted.
This option can also be set in the configuration file as rp_follow_symlinks. The
default value of this option is FALSE.
-em string,-acl string
A comma separated list of ACL or event modules to load.
This option can also be set in the configuration file as acl.
Logging Options
-d string,-log-level string
Log level. A comma separated list of levels from: ERROR, WARN, INFO, TRANSFER, DUMP,
ALL. TRANSFER includes the same statistics that are sent to the separate transfer log
when -log-transfer is used. Example: error,warn,info. You may also specify a numeric
level of 1-255. The default level is ERROR.
This option can also be set in the configuration file as log_level. The default value
of this option is ERROR.
-log-module string
globus_logging module that will be loaded. If not set, the default stdio module will
be used, and the logfile options apply. Built in modules are stdio and syslog. Log
module options may be set by specifying module:opt1=val1:opt2=val2. Available options
for the built in modules are interval and buffer, for buffer flush interval and buffer
size, respectively. The default options are a 64k buffer size and a 5 second flush
interval. A 0 second flush interval will disable periodic flushing, and the buffer
will only flush when it is full. A value of 0 for buffer will disable buffering and
all messages will be written immediately. Example: -log-module
stdio:buffer=4096:interval=10
This option can also be set in the configuration file as log_module.
-l string,-logfile string
Path of a single file to log all activity to. If neither this option or log_unique is
set, logs will be written to stderr unless the execution mode is detached or inetd, in
which case logging will be disabled.
This option can also be set in the configuration file as log_single.
-L string,-logdir string
Partial path to which gridftp.(pid).log will be appended to construct the log
filename. Example: -L /var/log/gridftp/ will create a separate log (
/var/log/gridftp/gridftp.xxxx.log ) for each process (which is normally each new
client session). If neither this option or log_single is set, logs will be written to
stderr unless the execution mode is detached or inetd, in which case logging will be
disabled.
This option can also be set in the configuration file as log_unique.
-Z string,-log-transfer string
Log netlogger style info for each transfer into this file. You may also use the
log-level of TRANSFER to include this info in the standard log.
This option can also be set in the configuration file as log_transfer.
-log-filemode string
File access permissions of log files. Should be an octal number such as 0644.
This option can also be set in the configuration file as log_filemode.
-disable-usage-stats
Disable transmission of per-transfer usage statistics. See the Usage Statistics
section in the online documentation for more information.
This option can also be set in the configuration file as disable_usage_stats. The
default value of this option is FALSE.
-usage-stats-target string
Comma separated list of contact strings (host:port) for usage statistics receivers.
The usage stats sent to a particular receiver may be customized by configuring it with
a taglist (host:port!taglist) The taglist is a list of characters that each correspond
to a usage stats tag. When this option is unset, stats are reported to
usage-stats.globus.org:4810. If you set your own receiver, and wish to continue
reporting to the Globus receiver, you will need to add it manually. The list of
available tags follow. Tags marked * are reported by default.
*(e) START - start time of transfer
*(E) END - end time of transfer
*(v) VER - version string of GridFTP server
*(b) BUFFER - tcp buffer size used for transfer
*(B) BLOCK - disk blocksize used for transfer
*(N) NBYTES - number of bytes transferred
*(s) STREAMS - number of parallel streams used
*(S) STRIPES - number of stripes used
*(t) TYPE - transfer command: RETR, STOR, LIST, etc
*(c) CODE - ftp result code (226 = success, 5xx = fail)
*(D) DSI - DSI module in use
*(A) EM - event modules in use
*(T) SCHEME - ftp, gsiftp, sshftp, etc. (client supplied)
*(a) APP - guc, rft, generic library app, etc. (client supplied)
*(V) APPVER - version string of above. (client supplied)
(f) FILE - name of file/data transferred
(i) CLIENTIP - ip address of host running client (control channel)
(I) DATAIP - ip address of source/dest host of data (data channel)
(u) USER - local user name the transfer was performed as
(d) USERDN - DN that was mapped to user id
(C) CONFID - ID defined by -usage-stats-id config option
(U) SESSID - unique id that can be used to match transfers in a session and
transfers across source/dest of a third party transfer. (client supplied)
This option can also be set in the configuration file as usage_stats_target.
-usage-stats-id string
Identifying tag to include in usage statistics data. If this is set and
usage-stats-target is unset, CONFID will be added to the default usage stats data.
This option can also be set in the configuration file as usage_stats_id.
Single and Striped Remote Data Node Options
-r string,-remote-nodes string
Comma separated list of remote node contact strings.
This option can also be set in the configuration file as remote_nodes.
-hybrid
When a server is configured for striped operation with the remote_nodes option, both a
frontend and backend process are started even if the client does not request multiple
stripes. This option will start backend processes only when striped operation is
requested by the client, while servicing non-striped requests with a single frontend
process.
This option can also be set in the configuration file as hybrid. The default value of
this option is FALSE.
-dn,-data-node
This server is a backend data node.
This option can also be set in the configuration file as data_node. The default value
of this option is FALSE.
-sbs number,-stripe-blocksize number
Size in bytes of sequential data that each stripe will transfer.
This option can also be set in the configuration file as stripe_blocksize. The default
value of this option is 1048576.
-stripe-count number
Number of number stripes to use per transfer when this server controls that number. If
remote nodes are statically configured (via -r or remote_nodes), this will be set to
that number of nodes, otherwise the default is 1.
This option can also be set in the configuration file as stripe_count.
-sl number,-stripe-layout number
Stripe layout. 1 = Partitioned 2 = Blocked.
This option can also be set in the configuration file as stripe_layout. The default
value of this option is 2.
-stripe-blocksize-locked
Do not allow client to override stripe blocksize with the OPTS RETR command
This option can also be set in the configuration file as stripe_blocksize_locked. The
default value of this option is FALSE.
-stripe-layout-locked
Do not allow client to override stripe layout with the OPTS RETR command
This option can also be set in the configuration file as stripe_layout_locked. The
default value of this option is FALSE.
Disk Options
-bs number,-blocksize number
Size in bytes of data blocks to read from disk before posting to the network.
This option can also be set in the configuration file as blocksize. The default value
of this option is 262144.
-sync-writes
Flush disk writes before sending a restart marker. This attempts to ensure that the
range specified in the restart marker has actually been committed to disk. This option
will probably impact performance, and may result in different behavior on different
storage systems. See the manpage for sync() for more information.
This option can also be set in the configuration file as sync_writes. The default
value of this option is FALSE.
-perms string
Set the default permissions for created files. Should be an octal number such as 0644.
The default is 0644. Note: If umask is set it will affect this setting — i.e. if the
umask is 0002 and this setting is 0666, the resulting files will be created with
permissions of 0664.
This option can also be set in the configuration file as perms.
-file-timeout number
Timeout in seconds for all disk accesses. A value of 0 disables the timeout.
This option can also be set in the configuration file as file_timeout.
Network Options
-p number,-port number
Port on which a frontend will listen for client control channel connections, or on
which a data node will listen for connections from a frontend. If not set a random
port will be chosen and printed via the logging mechanism.
This option can also be set in the configuration file as port.
-control-interface string
Hostname or IP address of the interface to listen for control connections on. If not
set will listen on all interfaces.
This option can also be set in the configuration file as control_interface.
-data-interface string
Hostname or IP address of the interface to use for data connections. If not set will
use the current control interface.
This option can also be set in the configuration file as data_interface.
-ipc-interface string
Hostname or IP address of the interface to use for ipc connections. If not set will
listen on all interfaces.
This option can also be set in the configuration file as ipc_interface.
-hostname string
Effectively sets the above control_interface, data_interface and ipc_interface
options.
This option can also be set in the configuration file as hostname.
-ipc-port number
Port on which the frontend will listen for data node connections.
This option can also be set in the configuration file as ipc_port.
-control-preauth-timeout number
Time in seconds to allow a client to remain connected to the control channel without
activity before authenticating.
This option can also be set in the configuration file as control_preauth_timeout. The
default value of this option is 120.
-control-idle-timeout number
Time in seconds to allow a client to remain connected to the control channel without
activity.
This option can also be set in the configuration file as control_idle_timeout. The
default value of this option is 600.
-ipc-idle-timeout number
Idle time in seconds before an unused ipc connection will close.
This option can also be set in the configuration file as ipc_idle_timeout. The default
value of this option is 900.
-ipc-connect-timeout number
Time in seconds before canceling an attempted ipc connection.
This option can also be set in the configuration file as ipc_connect_timeout. The
default value of this option is 60.
-allow-udt
Enable protocol support for UDT with NAT traversal if the udt driver is available.
Requires threads.
This option can also be set in the configuration file as allow_udt. The default value
of this option is FALSE.
-port-range string
Port range to use for incoming connections. The format is "startport,endport". This,
along with -data-interface, can be used to enable operation behind a firewall and/or
when NAT is involved. This is the same as setting the environment variable
GLOBUS_TCP_PORT_RANGE.
This option can also be set in the configuration file as port_range.
User Messages
-banner string
Message to display to the client before authentication.
This option can also be set in the configuration file as banner.
-banner-file string
File to read banner message from.
This option can also be set in the configuration file as banner_file.
-banner-terse
When this is set, the minimum allowed banner message will be displayed to
unauthenticated clients.
This option can also be set in the configuration file as banner_terse. The default
value of this option is FALSE.
-banner-append
When this is set, the message set in the banner or banner_file option will be appended
to the default banner message rather than replacing it.
This option can also be set in the configuration file as banner_append. The default
value of this option is FALSE.
-version-tag string
Add an identifying string to the existing toolkit version. This is displayed in the
default banner message, the SITE VERSION command, and usage stats.
This option can also be set in the configuration file as version_tag.
-login-msg string
Message to display to the client after authentication.
This option can also be set in the configuration file as login_msg.
-login-msg-file string
File to read login message from.
This option can also be set in the configuration file as login_msg_file.
Module Options
-dsi string
Data Storage Interface module to load. File and remote modules are defined by the
server. If not set, the file module is loaded, unless the remote option is specified,
in which case the remote module is loaded. An additional configuration string can be
passed to the DSI using the format [module name]:[configuration string] to this
option. The format of the configuration string is defined by the DSI being loaded.
This option can also be set in the configuration file as load_dsi_module.
-allowed-modules string
Comma separated list of ERET/ESTO modules to allow, and optionally specify an alias
for. Example: module1,alias2:module2,module3 (module2 will be loaded when a client
asks for alias2).
This option can also be set in the configuration file as allowed_modules.
-dc-whitelist string
A comma separated list of drivers allowed on the network stack.
This option can also be set in the configuration file as dc_whitelist.
-fs-whitelist string
A comma separated list of drivers allowed on the disk stack.
This option can also be set in the configuration file as fs_whitelist.
-popen-whitelist string
A comma separated list of programs that the popen driver is allowed to execute, when
used on the network or disk stack. An alias may also be specified, so that a client
does not need to specify the full path. Format is [alias:]prog,[alias:]prog. example:
/bin/gzip,tar:/bin/tar
This option can also be set in the configuration file as popen_whitelist.
-xnetmgr string
An option string to pass to the XIO Network Manager Driver, which will then be loaded
for all data channel connections. This must be in the form
"manager=module;option1=value;option2=value;". See the Network Manager documentation
for more info.
This option can also be set in the configuration file as xnetmgr.
-dc-default string
A comma separated list of XIO drivers and options representing the default network
stack. Format is of each driver entry is driver1[:opt1=val1;opt2=val2;...]. The bottom
of the stack, the transport driver, is always first.
This option can also be set in the configuration file as dc_default.
-fs-default string
A comma separated list of XIO drivers and options representing the default disk stack.
Format is of each driver entry is driver1[:opt1=val1;opt2=val2;...]. The bottom of the
stack, the transport driver, is always first.
This option can also be set in the configuration file as fs_default.
Other
-c string
Path to main configuration file that should be loaded. Otherwise will attempt to load
$GLOBUS_LOCATION/etc/gridftp.conf and /etc/grid-security/gridftp.conf.
-C string
Path to directory holding configuration files that should be loaded. Files will be
loaded in alphabetical order, and in the event of duplicate parameters the last loaded
file will take precedence. Files with a . in the name (file.bak, file.rpmsave, etc.)
will be ignored. Note that the main configuration file, if one exists, will always be
loaded last.
This option can also be set in the configuration file as config_dir.
-config-base-path string
Base path to use when config and log path options are not full paths. By default this
is the current directory when the process is started.
This option can also be set in the configuration file as config_base_path.
-debug
Sets options that make server easier to debug. Forces no-fork, no-chdir, and allows
core dumps on bad signals instead of exiting cleanly. Not recommended for production
servers. Note that non-forked servers running as root will only accept a single
connection, and then exit.
This option can also be set in the configuration file as debug. The default value of
this option is FALSE.
-pidfile string
This option can also be set in the configuration file as pidfile.
EXIT STATUS
0
Successful program execution.