munged(8)

1
2MUNGED(8)                 MUNGE Uid 'N' Gid Emporium                 MUNGED(8)
3
4
5

NAME

7       munged - MUNGE daemon
8
9

SYNOPSIS

11       munged [OPTION]...
12
13

DESCRIPTION

15       The munged daemon is responsible for authenticating local MUNGE clients
16       and servicing their credential encode & decode  requests.   All  munged
17       daemons  within  a security realm share a secret key.  This key is used
18       to protect the contents of a credential.
19
20       When a credential is created, munged embeds metadata within it  includ‐
21       ing  the  effective UID and GID of the requesting client (as determined
22       by munged) and the current time (as determined by the local clock).  It
23       then  compresses  the  data,  computes  a  message authentication code,
24       encrypts the data, and base64-encodes the result before  returning  the
25       credential to the client.
26
27       When a credential is validated, munged first checks the message authen‐
28       tication code to  ensure  the  credential  has  not  been  subsequently
29       altered.   Next,  it checks the embedded UID/GID restrictions to deter‐
30       mine whether the requesting client is allowed to decode it.   Then,  it
31       checks  the embedded encode time against the current time; if this dif‐
32       ference exceeds the embedded time-to-live, the credential has  expired.
33       Finally,  it checks whether this credential has been previously decoded
34       on this host; if so, the credential has been replayed.  If  all  checks
35       pass, the credential metadata and payload are returned to the client.
36
37

OPTIONS

39       -h, --help
40              Display a summary of the command-line options.
41
42       -L, --license
43              Display license information.
44
45       -V, --version
46              Display version information.
47
48       -f, --force
49              Force  the  daemon  to  run  if at all possible.  This overrides
50              warnings for an existing local domain socket, a lack of  entropy
51              for the PRNG, and insecure file/directory permissions.  Use with
52              caution as overriding these warnings can affect security.
53
54       -F, --foreground
55              Run the daemon in the foreground.
56
57       -M, --mlockall
58              Lock all current and future pages in the virtual memory  address
59              space.   Access  to locked pages will never be delayed by a page
60              fault.  This can improve performance and help the daemon  remain
61              responsive when the system is under heavy memory pressure.  This
62              typically requires root privileges or the CAP_IPC_LOCK  capabil‐
63              ity.
64
65       -S, --socket path
66              Specify the local domain socket for communicating with clients.
67
68       --auth-server-dir directory
69              Specify  an  alternate directory in which the daemon will create
70              the pipe used to authenticate clients.  The recommended  permis‐
71              sions for this directory are 0711.  This option is only valid on
72              platforms where client authentication is performed via  a  file-
73              descriptor passing mechanism.
74
75       --auth-client-dir directory
76              Specify  an alternate directory in which clients will create the
77              file used to authenticate themselves to the daemon.  The  recom‐
78              mended  permissions for this directory are 1733.  This option is
79              only valid on platforms where client authentication is performed
80              via a file-descriptor passing mechanism.
81
82       --benchmark
83              Disable  recurring  timers  in  order to reduce some noise while
84              benchmarking.  This affects the PRNG entropy pool, supplementary
85              group  mapping,  and credential replay hash.  Do not enable this
86              option when running in production.
87
88       --group-check-mtime boolean
89              Specify whether the modification time of  /etc/group  should  be
90              checked  before updating the supplementary group membership map‐
91              ping.  If this value is non-zero, the check will be enabled  and
92              the  mapping  will not be updated unless the file has been modi‐
93              fied since the last update.
94
95       --group-update-time integer
96              Specify the number of seconds between updates to the  supplemen‐
97              tary  group  membership  mapping;  this  mapping  is  used  when
98              restricting credentials by GID.  A value of 0 causes  it  to  be
99              computed  initially  but  never  updated  (unless triggered by a
100              SIGHUP).  A value of -1 causes it to be disabled.
101
102       --key-file path
103              Specify an alternate pathname to the key file.
104
105       --log-file path
106              Specify an alternate pathname to the log file.
107
108       --max-ttl integer
109              Specify the maximum allowable time-to-live  value  (in  seconds)
110              for  a  credential.   This setting has an upper-bound imposed by
111              the hard-coded MUNGE_MAXIMUM_TTL value.  Reducing it will  limit
112              the  maximum  growth  of  the  credential replay cache.  This is
113              viable if clocks within the MUNGE realm can be kept in sync with
114              minimal skew.
115
116       --num-threads integer
117              Specify the number of threads to spawn for processing credential
118              requests.
119
120       --pid-file path
121              Specify an alternate pathname for storing the Process ID of  the
122              daemon.
123
124       --seed-file path
125              Specify an alternate pathname to the PRNG seed file.
126
127       --syslog
128              Redirect  log  messages  to syslog when the daemon is running in
129              the background.
130
131       --trusted-group group
132              Specify the group name or GID of the "trusted group".   This  is
133              used  for  permission checks on a directory hierarchy.  Directo‐
134              ries with group write permissions are allowed if they are  owned
135              by the trusted group (or the sticky bit is set).
136
137

SIGNALS

139       SIGHUP Immediately  update  the  supplementary group membership mapping
140              instead of waiting for the next scheduled update;  this  mapping
141              is used when restricting credentials by GID.
142
143       SIGTERM
144              Terminate the daemon.
145
146
147

NOTES

149       All clocks within a security realm must be kept in sync within the cre‐
150       dential time-to-live setting.
151
152       While munged prevents a given credential from being decoded on  a  par‐
153       ticular  host  more than once, nothing prevents a credential from being
154       decoded on multiple hosts within the security realm before it expires.
155
156

AUTHOR

158       Chris Dunlap <cdunlap@llnl.gov>
159
160

COPYRIGHT

162       Copyright (C) 2007-2017 Lawrence Livermore National Security, LLC.
163       Copyright (C) 2002-2007 The Regents of the University of California.
164
165       MUNGE is free software: you can redistribute it and/or modify it  under
166       the  terms  of  the GNU General Public License as published by the Free
167       Software Foundation, either version 3  of  the  License,  or  (at  your
168       option) any later version.
169
170       Additionally  for the MUNGE library (libmunge), you can redistribute it
171       and/or modify it under the terms  of  the  GNU  Lesser  General  Public
172       License  as published by the Free Software Foundation, either version 3
173       of the License, or (at your option) any later version.
174
175