bionic (8) globus-gridftp-server.8.gz
NAME
globus-gridftp-server - The Globus GridFTP server daemon
SYNOPSIS
globus-gridftp-server OPTIONS
DESCRIPTION
The globus-gridftp-server program is a ftp server with support for GridFTP protocol extensions, including
strong authentication, parallel data transfers, and parallel data layouts.
OPTIONS
The list below contains the command-line options for the server, and also the name of the configuration
file entry that implements that option. Note that any boolean option can be negated on the command line
by preceding the specified option with -no- or -n. example: -no-cas or -nf.
Informational Options
-h,-help
Show usage information and exit.
This option can also be set in the configuration file as help. The default value of this option is
FALSE.
-hh,-longhelp
Show more usage information and exit.
This option can also be set in the configuration file as longhelp. The default value of this option
is FALSE.
-v,-version
Show version information for the server and exit.
This option can also be set in the configuration file as version. The default value of this option is
FALSE.
-V,-versions
Show version information for all loaded globus libraries and exit.
This option can also be set in the configuration file as versions. The default value of this option
is FALSE.
Modes of Operation
-i,-inetd
Run under an inetd service.
This option can also be set in the configuration file as inetd. The default value of this option is
FALSE.
-s,-daemon
Run as a daemon. All connections will fork off a new process and setuid if allowed.
This option can also be set in the configuration file as daemon. The default value of this option is
TRUE.
-S,-detach
Run as a background daemon detached from any controlling terminals.
This option can also be set in the configuration file as detach. The default value of this option is
FALSE.
-ssh
Run over a connected ssh session.
This option can also be set in the configuration file as ssh. The default value of this option is
FALSE.
-exec string
For statically compiled or non-GLOBUS_LOCATION standard binary locations, specify the full path of
the server binary here. Only needed when run in daemon mode.
This option can also be set in the configuration file as exec.
-chdir
Change directory when the server starts. This will change directory to the dir specified by the
chdir_to option.
This option can also be set in the configuration file as chdir. The default value of this option is
TRUE.
-chdir-to string
Directory to chdir to after starting. Will use / if not set. Note that this is the directory of the
process, not the client’s home directory.
This option can also be set in the configuration file as chdir_to.
-threads number
Enable threaded operation and set the number of threads. The default is 0, which is non-threaded.
When threading is required, a thread count of 1 or 2 should be sufficient.
This option can also be set in the configuration file as threads.
-f,-fork
Server will fork for each new connection. Disabling this option is only recommended when debugging.
Note that non-forked servers running as root will only accept a single connection, and then exit.
This option can also be set in the configuration file as fork. The default value of this option is
TRUE.
-1,-single
Exit after a single connection.
This option can also be set in the configuration file as single. The default value of this option is
FALSE.
-chroot-path string
Path to become the new root after authentication. This path must contain a valid certificate
structure, /etc/passwd, and /etc/group. The command globus-gridftp-server-setup-chroot can help
create a suitable directory structure.
This option can also be set in the configuration file as chroot_path.
Authentication, Authorization, and Security Options
-auth-level number
Add levels together to use more than one.
0 = Disables all authorization checks.
1 = Authorize identity.
2 = Authorize all file/resource accesses.
4 = Disable changing process uid to authenticated user (no setuid) -- DO NOT use this when process is started as root.
If not set uses level 2 for front ends and level 1 for data nodes. Note that levels 2 and 4 imply level 1 as well.
This option can also be set in the configuration file as auth_level.
-ipc-allow-from string
Only allow connections from these source ip addresses. Specify a comma separated list of ip address
fragments. A match is any ip address that starts with the specified fragment. Example: 192.168.1.
will match and allow a connection from 192.168.1.45. Note that if this option is used any address not
specifically allowed will be denied.
This option can also be set in the configuration file as ipc_allow_from.
-ipc-deny-from string
Deny connections from these source ip addresses. Specify a comma separated list of ip address
fragments. A match is any ip address that starts with the specified fragment. Example: 192.168.2.
will match and deny a connection from 192.168.2.45.
This option can also be set in the configuration file as ipc_deny_from.
-allow-from string
Only allow connections from these source ip addresses. Specify a comma separated list of ip address
fragments. A match is any ip address that starts with the specified fragment. Example: 192.168.1.
will match and allow a connection from 192.168.1.45. Note that if this option is used any address not
specifically allowed will be denied.
This option can also be set in the configuration file as allow_from.
-deny-from string
Deny connections from these source ip addresses. Specify a comma separated list of ip address
fragments. A match is any ip address that starts with the specified fragment. Example: 192.168.2.
will match and deny a connection from 192.168.2.45.
This option can also be set in the configuration file as deny_from.
-encrypt-data
Require encrypted data channels. This will cause an error and prevent all transfers in which the
client does not request an authenticated and encrypted data channel.
This option can also be set in the configuration file as encrypt_data. The default value of this
option is FALSE.
-si,-secure-ipc
Use GSI security on ipc channel.
This option can also be set in the configuration file as secure_ipc. The default value of this option
is TRUE.
-ia string,-ipc-auth-mode string
Set GSI authorization mode for the ipc connection. Options are: none, host, self or
subject:[subject].
This option can also be set in the configuration file as ipc_auth_mode. The default value of this
option is host.
-aa,-allow-anonymous
Allow clear text anonymous access. If server is running as root anonymous_user must also be set.
Disables ipc security.
This option can also be set in the configuration file as allow_anonymous. The default value of this
option is FALSE.
-anonymous-names-allowed string
Comma separated list of names to treat as anonymous users when allowing anonymous access. If not set,
the default names of anonymous and ftp will be allowed. Use * to allow any username.
This option can also be set in the configuration file as anonymous_names_allowed.
-anonymous-user string
User to setuid to for an anonymous connection. Only applies when running as root.
This option can also be set in the configuration file as anonymous_user.
-anonymous-group string
Group to setgid to for an anonymous connection. If unset, the default group of anonymous_user will be
used.
This option can also be set in the configuration file as anonymous_group.
-sharing-dn string
Allow sharing when using the supplied DN. A client connected with these credentials will be able to
access any user for which sharing is enabled.
This option can also be set in the configuration file as sharing_dn.
-sharing-state-dir string
Full path to a directory that will contain files used by GridFTP to control sharing access for
individual local accounts. The special variables $HOME and $USER can be used to create a dynamic path
that is unique to each local account. This pathmust be writable by the associated account. The
default path is $HOME/.globus/sharing/. This must refer to a path on the filesystem, not a path that
is only accessible via a DSI plugin.
This option can also be set in the configuration file as sharing_state_dir.
-sharing-control
Allow a local user account to control its own sharing access via special GridFTP client commands. The
user account must have filesystem write access to the sharing state dir.
This option can also be set in the configuration file as sharing_control. The default value of this
option is TRUE.
-sharing-rp string
Sharing specific path restrictions. This completely replaces the normal path restrictions (-rp) when
an account is being shared by a sharing-dn login.Follows normal path restriction semantics.
This option can also be set in the configuration file as sharing_rp.
-sharing-users-allow string
Comma separated list of usernames that are allowed to share unless matched in the user deny lists. If
this list is set, users that are not included will be denied unless matched in the group allow list.
This option can also be set in the configuration file as sharing_users_allow.
-sharing-users-deny string
Comma separated list of usernames that are denied sharing even if matched in the user or group allow
lists.
This option can also be set in the configuration file as sharing_users_deny.
-sharing-groups-allow string
Comma separated list of groups whose members are allowed to share unless matched in the user or group
deny lists. If this list is set, groups that are not included will be denied unless matched in the
user allow list.
This option can also be set in the configuration file as sharing_groups_allow.
-sharing-groups-deny string
Comma separated list of groups whose members will be denied sharing unless matched in the user allow
list.
This option can also be set in the configuration file as sharing_groups_deny.
-allow-root
Allow clients to be mapped to the root account.
This option can also be set in the configuration file as allow_root. The default value of this option
is FALSE.
-allow-disabled-login
Do not check if a user’s system account is disabled before allowing login.
This option can also be set in the configuration file as allow_disabled_login. The default value of
this option is FALSE.
-password-file string
Enable clear text access and authenticate users against this /etc/passwd formatted file.
This option can also be set in the configuration file as pw_file.
-connections-max number
Maximum concurrent connections allowed. Only applies when running in daemon mode. Unlimited if not
set.
This option can also be set in the configuration file as connections_max.
-connections-disabled
Disable all new connections. For daemon mode, issue a SIGHUP to the server process after changing the
config file in order to not affect ongoing connections.
This option can also be set in the configuration file as connections_disabled. The default value of
this option is FALSE.
-offline-msg string
Custom message to be displayed to clients when the server is offline via the connections_disabled or
connections_max = 0 options.
This option can also be set in the configuration file as offline_msg.
-disable-command-list string
A comma separated list of client commands that will be disabled.
This option can also be set in the configuration file as disable_command_list.
-authz-callouts,-cas
Enable the GSI authorization callout framework, for callouts such as CAS.
This option can also be set in the configuration file as cas. The default value of this option is
TRUE.
-use-home-dirs
Set the starting directory to the authenticated users home dir. Disabling this is the same as setting
-home-dir /.
This option can also be set in the configuration file as use_home_dirs. The default value of this
option is TRUE.
-home-dir string
Set a path to override the system defined home/starting directory for authenticated users. The
special variable strings $USER and $HOME may be used. The authenticated username will be substituted
for $USER, and the user’s real home dir will be substituted for $HOME. Be sure to escape the $
character if using these on the command line.
This option can also be set in the configuration file as home_dir.
-rp string,-restrict-paths string
A comma separated list of full paths that clients may access. Each path may be prefixed by R and/or
W, denoting read or write access, otherwise full access is granted. If a given path is a directory,
all contents and subdirectories will be given the same access. Order of paths does not matter — the
permissions on the longest matching path will apply. The special character ~ will be replaced by the
authenticated user’s home directory, or the -home-dir option, if used. Note that if the home
directory is not accessible, \~ will be set to /. By default all paths are allowed, and access
control is handled by the OS. In a striped or split process configuration, this should be set on both
the frontend and data nodes.
This option can also be set in the configuration file as restrict_paths.
-rp-follow-symlinks
Do not verify that a symlink points to an allowed path before following. By default, symlinks are
followed only when they point to an allowed path. By enabling this option, symlinks will be followed
even if they point to a path that is otherwise restricted.
This option can also be set in the configuration file as rp_follow_symlinks. The default value of
this option is FALSE.
-em string,-acl string
A comma separated list of ACL or event modules to load.
This option can also be set in the configuration file as acl.
Logging Options
-d string,-log-level string
Log level. A comma separated list of levels from: ERROR, WARN, INFO, TRANSFER, DUMP, ALL. TRANSFER
includes the same statistics that are sent to the separate transfer log when -log-transfer is used.
Example: error,warn,info. You may also specify a numeric level of 1-255. The default level is ERROR.
This option can also be set in the configuration file as log_level. The default value of this option
is ERROR.
-log-module string
globus_logging module that will be loaded. If not set, the default stdio module will be used, and the
logfile options apply. Built in modules are stdio and syslog. Log module options may be set by
specifying module:opt1=val1:opt2=val2. Available options for the built in modules are interval and
buffer, for buffer flush interval and buffer size, respectively. The default options are a 64k buffer
size and a 5 second flush interval. A 0 second flush interval will disable periodic flushing, and the
buffer will only flush when it is full. A value of 0 for buffer will disable buffering and all
messages will be written immediately. Example: -log-module stdio:buffer=4096:interval=10
This option can also be set in the configuration file as log_module.
-l string,-logfile string
Path of a single file to log all activity to. If neither this option or log_unique is set, logs will
be written to stderr unless the execution mode is detached or inetd, in which case logging will be
disabled.
This option can also be set in the configuration file as log_single.
-L string,-logdir string
Partial path to which gridftp.(pid).log will be appended to construct the log filename. Example: -L
/var/log/gridftp/ will create a separate log ( /var/log/gridftp/gridftp.xxxx.log ) for each process
(which is normally each new client session). If neither this option or log_single is set, logs will
be written to stderr unless the execution mode is detached or inetd, in which case logging will be
disabled.
This option can also be set in the configuration file as log_unique.
-Z string,-log-transfer string
Log netlogger style info for each transfer into this file. You may also use the log-level of TRANSFER
to include this info in the standard log.
This option can also be set in the configuration file as log_transfer.
-log-filemode string
File access permissions of log files. Should be an octal number such as 0644.
This option can also be set in the configuration file as log_filemode.
-disable-usage-stats
Disable transmission of per-transfer usage statistics. See the Usage Statistics section in the online
documentation for more information.
This option can also be set in the configuration file as disable_usage_stats. The default value of
this option is FALSE.
-usage-stats-target string
Comma separated list of contact strings (host:port) for usage statistics receivers. The usage stats
sent to a particular receiver may be customized by configuring it with a taglist (host:port!taglist)
The taglist is a list of characters that each correspond to a usage stats tag. When this option is
unset, stats are reported to usage-stats.globus.org:4810. If you set your own receiver, and wish to
continue reporting to the Globus receiver, you will need to add it manually. The list of available
tags follow. Tags marked * are reported by default.
*(e) START - start time of transfer
*(E) END - end time of transfer
*(v) VER - version string of GridFTP server
*(b) BUFFER - tcp buffer size used for transfer
*(B) BLOCK - disk blocksize used for transfer
*(N) NBYTES - number of bytes transferred
*(s) STREAMS - number of parallel streams used
*(S) STRIPES - number of stripes used
*(t) TYPE - transfer command: RETR, STOR, LIST, etc
*(c) CODE - ftp result code (226 = success, 5xx = fail)
*(D) DSI - DSI module in use
*(A) EM - event modules in use
*(T) SCHEME - ftp, gsiftp, sshftp, etc. (client supplied)
*(a) APP - guc, rft, generic library app, etc. (client supplied)
*(V) APPVER - version string of above. (client supplied)
(f) FILE - name of file/data transferred
(i) CLIENTIP - ip address of host running client (control channel)
(I) DATAIP - ip address of source/dest host of data (data channel)
(u) USER - local user name the transfer was performed as
(d) USERDN - DN that was mapped to user id
(C) CONFID - ID defined by -usage-stats-id config option
(U) SESSID - unique id that can be used to match transfers in a session and
transfers across source/dest of a third party transfer. (client supplied)
This option can also be set in the configuration file as usage_stats_target.
-usage-stats-id string
Identifying tag to include in usage statistics data. If this is set and usage-stats-target is unset,
CONFID will be added to the default usage stats data.
This option can also be set in the configuration file as usage_stats_id.
Single and Striped Remote Data Node Options
-r string,-remote-nodes string
Comma separated list of remote node contact strings.
This option can also be set in the configuration file as remote_nodes.
-hybrid
When a server is configured for striped operation with the remote_nodes option, both a frontend and
backend process are started even if the client does not request multiple stripes. This option will
start backend processes only when striped operation is requested by the client, while servicing
non-striped requests with a single frontend process.
This option can also be set in the configuration file as hybrid. The default value of this option is
FALSE.
-dn,-data-node
This server is a backend data node.
This option can also be set in the configuration file as data_node. The default value of this option
is FALSE.
-sbs number,-stripe-blocksize number
Size in bytes of sequential data that each stripe will transfer.
This option can also be set in the configuration file as stripe_blocksize. The default value of this
option is 1048576.
-stripe-count number
Number of number stripes to use per transfer when this server controls that number. If remote nodes
are statically configured (via -r or remote_nodes), this will be set to that number of nodes,
otherwise the default is 1.
This option can also be set in the configuration file as stripe_count.
-sl number,-stripe-layout number
Stripe layout. 1 = Partitioned 2 = Blocked.
This option can also be set in the configuration file as stripe_layout. The default value of this
option is 2.
-stripe-blocksize-locked
Do not allow client to override stripe blocksize with the OPTS RETR command
This option can also be set in the configuration file as stripe_blocksize_locked. The default value
of this option is FALSE.
-stripe-layout-locked
Do not allow client to override stripe layout with the OPTS RETR command
This option can also be set in the configuration file as stripe_layout_locked. The default value of
this option is FALSE.
Disk Options
-bs number,-blocksize number
Size in bytes of data blocks to read from disk before posting to the network.
This option can also be set in the configuration file as blocksize. The default value of this option
is 262144.
-sync-writes
Flush disk writes before sending a restart marker. This attempts to ensure that the range specified
in the restart marker has actually been committed to disk. This option will probably impact
performance, and may result in different behavior on different storage systems. See the manpage for
sync() for more information.
This option can also be set in the configuration file as sync_writes. The default value of this
option is FALSE.
-perms string
Set the default permissions for created files. Should be an octal number such as 0644. The default is
0644. Note: If umask is set it will affect this setting — i.e. if the umask is 0002 and this setting
is 0666, the resulting files will be created with permissions of 0664.
This option can also be set in the configuration file as perms.
-file-timeout number
Timeout in seconds for all disk accesses. A value of 0 disables the timeout.
This option can also be set in the configuration file as file_timeout.
Network Options
-p number,-port number
Port on which a frontend will listen for client control channel connections, or on which a data node
will listen for connections from a frontend. If not set a random port will be chosen and printed via
the logging mechanism.
This option can also be set in the configuration file as port.
-control-interface string
Hostname or IP address of the interface to listen for control connections on. If not set will listen
on all interfaces.
This option can also be set in the configuration file as control_interface.
-data-interface string
Hostname or IP address of the interface to use for data connections. If not set will use the current
control interface.
This option can also be set in the configuration file as data_interface.
-ipc-interface string
Hostname or IP address of the interface to use for ipc connections. If not set will listen on all
interfaces.
This option can also be set in the configuration file as ipc_interface.
-hostname string
Effectively sets the above control_interface, data_interface and ipc_interface options.
This option can also be set in the configuration file as hostname.
-ipc-port number
Port on which the frontend will listen for data node connections.
This option can also be set in the configuration file as ipc_port.
-control-preauth-timeout number
Time in seconds to allow a client to remain connected to the control channel without activity before
authenticating.
This option can also be set in the configuration file as control_preauth_timeout. The default value
of this option is 120.
-control-idle-timeout number
Time in seconds to allow a client to remain connected to the control channel without activity.
This option can also be set in the configuration file as control_idle_timeout. The default value of
this option is 600.
-ipc-idle-timeout number
Idle time in seconds before an unused ipc connection will close.
This option can also be set in the configuration file as ipc_idle_timeout. The default value of this
option is 900.
-ipc-connect-timeout number
Time in seconds before canceling an attempted ipc connection.
This option can also be set in the configuration file as ipc_connect_timeout. The default value of
this option is 60.
-allow-udt
Enable protocol support for UDT with NAT traversal if the udt driver is available. Requires threads.
This option can also be set in the configuration file as allow_udt. The default value of this option
is FALSE.
-port-range string
Port range to use for incoming connections. The format is "startport,endport". This, along with
-data-interface, can be used to enable operation behind a firewall and/or when NAT is involved. This
is the same as setting the environment variable GLOBUS_TCP_PORT_RANGE.
This option can also be set in the configuration file as port_range.
User Messages
-banner string
Message to display to the client before authentication.
This option can also be set in the configuration file as banner.
-banner-file string
File to read banner message from.
This option can also be set in the configuration file as banner_file.
-banner-terse
When this is set, the minimum allowed banner message will be displayed to unauthenticated clients.
This option can also be set in the configuration file as banner_terse. The default value of this
option is FALSE.
-banner-append
When this is set, the message set in the banner or banner_file option will be appended to the default
banner message rather than replacing it.
This option can also be set in the configuration file as banner_append. The default value of this
option is FALSE.
-version-tag string
Add an identifying string to the existing toolkit version. This is displayed in the default banner
message, the SITE VERSION command, and usage stats.
This option can also be set in the configuration file as version_tag.
-login-msg string
Message to display to the client after authentication.
This option can also be set in the configuration file as login_msg.
-login-msg-file string
File to read login message from.
This option can also be set in the configuration file as login_msg_file.
Module Options
-dsi string
Data Storage Interface module to load. File and remote modules are defined by the server. If not set,
the file module is loaded, unless the remote option is specified, in which case the remote module is
loaded. An additional configuration string can be passed to the DSI using the format [module
name]:[configuration string] to this option. The format of the configuration string is defined by the
DSI being loaded.
This option can also be set in the configuration file as load_dsi_module.
-allowed-modules string
Comma separated list of ERET/ESTO modules to allow, and optionally specify an alias for. Example:
module1,alias2:module2,module3 (module2 will be loaded when a client asks for alias2).
This option can also be set in the configuration file as allowed_modules.
-dc-whitelist string
A comma separated list of drivers allowed on the network stack.
This option can also be set in the configuration file as dc_whitelist.
-fs-whitelist string
A comma separated list of drivers allowed on the disk stack.
This option can also be set in the configuration file as fs_whitelist.
-popen-whitelist string
A comma separated list of programs that the popen driver is allowed to execute, when used on the
network or disk stack. An alias may also be specified, so that a client does not need to specify the
full path. Format is [alias:]prog,[alias:]prog. example: /bin/gzip,tar:/bin/tar
This option can also be set in the configuration file as popen_whitelist.
-xnetmgr string
An option string to pass to the XIO Network Manager Driver, which will then be loaded for all data
channel connections. This must be in the form "manager=module;option1=value;option2=value;". See the
Network Manager documentation for more info.
This option can also be set in the configuration file as xnetmgr.
-dc-default string
A comma separated list of XIO drivers and options representing the default network stack. Format is
of each driver entry is driver1[:opt1=val1;opt2=val2;...]. The bottom of the stack, the transport
driver, is always first.
This option can also be set in the configuration file as dc_default.
-fs-default string
A comma separated list of XIO drivers and options representing the default disk stack. Format is of
each driver entry is driver1[:opt1=val1;opt2=val2;...]. The bottom of the stack, the transport
driver, is always first.
This option can also be set in the configuration file as fs_default.
Other
-c string
Path to main configuration file that should be loaded. Otherwise will attempt to load
$GLOBUS_LOCATION/etc/gridftp.conf and /etc/grid-security/gridftp.conf.
-C string
Path to directory holding configuration files that should be loaded. Files will be loaded in
alphabetical order, and in the event of duplicate parameters the last loaded file will take
precedence. Files with a . in the name (file.bak, file.rpmsave, etc.) will be ignored. Note that the
main configuration file, if one exists, will always be loaded last.
This option can also be set in the configuration file as config_dir.
-config-base-path string
Base path to use when config and log path options are not full paths. By default this is the current
directory when the process is started.
This option can also be set in the configuration file as config_base_path.
-debug
Sets options that make server easier to debug. Forces no-fork, no-chdir, and allows core dumps on bad
signals instead of exiting cleanly. Not recommended for production servers. Note that non-forked
servers running as root will only accept a single connection, and then exit.
This option can also be set in the configuration file as debug. The default value of this option is
FALSE.
-pidfile string
This option can also be set in the configuration file as pidfile.
EXIT STATUS
0
Successful program execution.