1
2MUNGED(8) MUNGE Uid 'N' Gid Emporium MUNGED(8)
3
4
5
7 munged - MUNGE daemon
8
9
11 munged [OPTION]...
12
13
15 The munged daemon is responsible for authenticating local MUNGE clients
16 and servicing their credential encode & decode requests.
17
18 All munged daemons within a security realm share a common key. All
19 hosts within this realm are expected to have common users/UIDs and
20 groups/GIDs. The key is used to cryptographically protect the creden‐
21 tials; it is created with the mungekey command.
22
23 When a credential is created, munged embeds metadata within it includ‐
24 ing the effective UID and GID of the requesting client (as determined
25 by munged) and the current time (as determined by the local clock). It
26 then compresses the data, computes a message authentication code, en‐
27 crypts the data, and base64-encodes the result before returning the
28 credential to the client.
29
30 When a credential is validated, munged first checks the message authen‐
31 tication code to ensure the credential has not been subsequently al‐
32 tered. Next, it checks the embedded UID/GID restrictions to determine
33 whether the requesting client is allowed to decode it. Then, it checks
34 the embedded encode time against the current time; if this difference
35 exceeds the embedded time-to-live, the credential has expired. Fi‐
36 nally, it checks whether this credential has been previously decoded on
37 this host; if so, the credential has been replayed. If all checks
38 pass, the credential metadata and payload are returned to the client.
39
40
42 -h, --help
43 Display a summary of the command-line options.
44
45 -L, --license
46 Display license information.
47
48 -V, --version
49 Display version information.
50
51 -f, --force
52 Force the daemon to run if at all possible. This overrides
53 warnings for an existing local domain socket, a lack of entropy
54 for the PRNG, and insecure file/directory permissions. Use with
55 caution as overriding these warnings can affect security.
56
57 -F, --foreground
58 Run the daemon in the foreground.
59
60 -M, --mlockall
61 Lock all current and future pages in the virtual memory address
62 space. Access to locked pages will never be delayed by a page
63 fault. This can improve performance and help the daemon remain
64 responsive when the system is under heavy memory pressure. This
65 typically requires root privileges or the CAP_IPC_LOCK capabil‐
66 ity.
67
68 -s, --stop
69 Stop the daemon bound to the socket and wait for it to shut
70 down. Use with the --socket option to target a daemon bound to
71 a non-default socket location. This option exits with a zero
72 status if the specified daemon was successfully stopped, or a
73 non-zero status otherwise.
74
75 -S, --socket path
76 Specify the local domain socket for communicating with clients.
77
78 -v, --verbose
79 Be verbose.
80
81 --auth-server-dir directory
82 Specify an alternate directory in which the daemon will create
83 the pipe used to authenticate clients. The recommended permis‐
84 sions for this directory are 0711. This option is only valid on
85 platforms where client authentication is performed via a file-
86 descriptor passing mechanism.
87
88 --auth-client-dir directory
89 Specify an alternate directory in which clients will create the
90 file used to authenticate themselves to the daemon. The recom‐
91 mended permissions for this directory are 1733. This option is
92 only valid on platforms where client authentication is performed
93 via a file-descriptor passing mechanism.
94
95 --benchmark
96 Disable recurring timers in order to reduce some noise while
97 benchmarking. This affects the PRNG entropy pool, supplementary
98 group mapping, and credential replay hash. Do not enable this
99 option when running in production.
100
101 --group-check-mtime boolean
102 Specify whether the modification time of /etc/group should be
103 checked before updating the supplementary group membership map‐
104 ping. If this value is non-zero, the check will be enabled and
105 the mapping will not be updated unless the file has been modi‐
106 fied since the last update.
107
108 --group-update-time integer
109 Specify the number of seconds between updates to the supplemen‐
110 tary group membership mapping; this mapping is used when re‐
111 stricting credentials by GID. A value of 0 causes it to be com‐
112 puted initially but never updated (unless triggered by a
113 SIGHUP). A value of -1 causes it to be disabled.
114
115 --key-file path
116 Specify an alternate pathname to the key file.
117
118 --log-file path
119 Specify an alternate pathname to the log file.
120
121 --max-ttl integer
122 Specify the maximum allowable time-to-live value (in seconds)
123 for a credential. This setting has an upper-bound imposed by
124 the hard-coded MUNGE_MAXIMUM_TTL value. Reducing it will limit
125 the maximum growth of the credential replay cache. This is vi‐
126 able if clocks within the MUNGE realm can be kept in sync with
127 minimal skew.
128
129 --num-threads integer
130 Specify the number of threads to spawn for processing credential
131 requests.
132
133 --origin address
134 Specify the origin address that will be encoded into credential
135 metadata. This can be a hostname or IPv4 address; it can also
136 be the name of a local network interface, in which case the
137 first IPv4 address found assigned to that interface will be
138 used. The default value is the IPv4 address of the hostname re‐
139 turned by gethostname(). Failure to lookup the address will re‐
140 sult in an error; if overridden, the origin will be set to the
141 null address.
142
143 --pid-file path
144 Specify an alternate pathname for storing the Process ID of the
145 daemon.
146
147 --seed-file path
148 Specify an alternate pathname to the PRNG seed file.
149
150 --syslog
151 Redirect log messages to syslog when the daemon is running in
152 the background.
153
154 --trusted-group group
155 Specify the group name or GID of the "trusted group". This is
156 used for permission checks on a directory hierarchy. Directo‐
157 ries with group write permissions are allowed if they are owned
158 by the trusted group (or the sticky bit is set).
159
160
162 SIGHUP Immediately update the supplementary group membership mapping
163 instead of waiting for the next scheduled update; this mapping
164 is used when restricting credentials by GID.
165
166 SIGTERM
167 Terminate the daemon.
168
169
170
172 All clocks within a security realm must be kept in sync within the cre‐
173 dential time-to-live setting.
174
175 While munged prevents a given credential from being decoded on a par‐
176 ticular host more than once, nothing prevents a credential from being
177 decoded on multiple hosts within the security realm before it expires.
178
179
181 Chris Dunlap <cdunlap@llnl.gov>
182
183
185 Copyright (C) 2007-2020 Lawrence Livermore National Security, LLC.
186 Copyright (C) 2002-2007 The Regents of the University of California.
187
188 MUNGE is free software: you can redistribute it and/or modify it under
189 the terms of the GNU General Public License as published by the Free
190 Software Foundation, either version 3 of the License, or (at your op‐
191 tion) any later version.
192
193 Additionally for the MUNGE library (libmunge), you can redistribute it
194 and/or modify it under the terms of the GNU Lesser General Public Li‐
195 cense as published by the Free Software Foundation, either version 3 of
196 the License, or (at your option) any later version.
197
198
200 munge(1), remunge(1), unmunge(1), munge(3), munge_ctx(3),
201 munge_enum(3), munge(7), mungekey(8).
202
203 https://dun.github.io/munge/
204
205
206
207munge-0.5.14 2020-01-14 MUNGED(8)