1
2MUNGED(8)                 MUNGE Uid 'N' Gid Emporium                 MUNGED(8)
3
4
5

NAME

7       munged - MUNGE daemon
8
9

SYNOPSIS

11       munged [OPTION]...
12
13

DESCRIPTION

15       The munged daemon is responsible for authenticating local MUNGE clients
16       and servicing their credential encode & decode requests.
17
18       All munged daemons within a security realm share  a  common  key.   All
19       hosts  within  this  realm  are  expected to have common users/UIDs and
20       groups/GIDs.  The key is used to cryptographically protect the  creden‐
21       tials; it is created with the mungekey command.
22
23       When  a credential is created, munged embeds metadata within it includ‐
24       ing the effective UID and GID of the requesting client  (as  determined
25       by munged) and the current time (as determined by the local clock).  It
26       then compresses the data, computes a message authentication  code,  en‐
27       crypts  the  data,  and  base64-encodes the result before returning the
28       credential to the client.
29
30       When a credential is validated, munged first checks the message authen‐
31       tication  code  to  ensure the credential has not been subsequently al‐
32       tered.  Next, it checks the embedded UID/GID restrictions to  determine
33       whether the requesting client is allowed to decode it.  Then, it checks
34       the embedded encode time against the current time; if  this  difference
35       exceeds  the  embedded  time-to-live,  the credential has expired.  Fi‐
36       nally, it checks whether this credential has been previously decoded on
37       this  host;  if  so,  the  credential has been replayed.  If all checks
38       pass, the credential metadata and payload are returned to the client.
39
40

OPTIONS

42       -h, --help
43              Display a summary of the command-line options.
44
45       -L, --license
46              Display license information.
47
48       -V, --version
49              Display version information.
50
51       -f, --force
52              Force the daemon to run if  at  all  possible.   This  overrides
53              warnings  for an existing local domain socket, a lack of entropy
54              for the PRNG, and insecure file/directory permissions.  Use with
55              caution as overriding these warnings can affect security.
56
57       -F, --foreground
58              Run the daemon in the foreground.
59
60       -M, --mlockall
61              Lock  all current and future pages in the virtual memory address
62              space.  Access to locked pages will never be delayed by  a  page
63              fault.   This can improve performance and help the daemon remain
64              responsive when the system is under heavy memory pressure.  This
65              typically  requires root privileges or the CAP_IPC_LOCK capabil‐
66              ity.
67
68       -s, --stop
69              Stop the daemon bound to the socket and  wait  for  it  to  shut
70              down.   Use with the --socket option to target a daemon bound to
71              a non-default socket location.  This option exits  with  a  zero
72              status  if  the  specified daemon was successfully stopped, or a
73              non-zero status otherwise.
74
75       -S, --socket path
76              Specify the local domain socket for communicating with clients.
77
78       -v, --verbose
79              Be verbose.
80
81       --auth-server-dir directory
82              Specify an alternate directory in which the daemon  will  create
83              the  pipe used to authenticate clients.  The recommended permis‐
84              sions for this directory are 0711.  This option is only valid on
85              platforms  where  client authentication is performed via a file-
86              descriptor passing mechanism.
87
88       --auth-client-dir directory
89              Specify an alternate directory in which clients will create  the
90              file  used to authenticate themselves to the daemon.  The recom‐
91              mended permissions for this directory are 1733.  This option  is
92              only valid on platforms where client authentication is performed
93              via a file-descriptor passing mechanism.
94
95       --benchmark
96              Disable recurring timers in order to  reduce  some  noise  while
97              benchmarking.  This affects the PRNG entropy pool, supplementary
98              group mapping, and credential replay hash.  Do not  enable  this
99              option when running in production.
100
101       --group-check-mtime boolean
102              Specify  whether  the  modification time of /etc/group should be
103              checked before updating the supplementary group membership  map‐
104              ping.   If this value is non-zero, the check will be enabled and
105              the mapping will not be updated unless the file has  been  modi‐
106              fied since the last update.
107
108       --group-update-time seconds
109              Specify  the number of seconds between updates to the supplemen‐
110              tary group membership mapping; this mapping  is  used  when  re‐
111              stricting credentials by GID.  A value of 0 causes it to be com‐
112              puted  initially  but  never  updated  (unless  triggered  by  a
113              SIGHUP).  A value of -1 causes it to be disabled.
114
115       --key-file path
116              Specify an alternate pathname to the key file.
117
118       --log-file path
119              Specify an alternate pathname to the log file.
120
121       --max-ttl integer
122              Specify  the  maximum  allowable time-to-live value (in seconds)
123              for a credential.  This setting has an  upper-bound  imposed  by
124              the  hard-coded MUNGE_MAXIMUM_TTL value.  Reducing it will limit
125              the maximum growth of the credential replay cache.  This is  vi‐
126              able  if  clocks within the MUNGE realm can be kept in sync with
127              minimal skew.
128
129       --num-threads integer
130              Specify the number of threads to spawn for processing credential
131              requests.
132
133       --origin address
134              Specify  the origin address that will be encoded into credential
135              metadata.  This can be a hostname or IPv4 address; it  can  also
136              be  the  name  of  a  local network interface, in which case the
137              first IPv4 address found assigned  to  that  interface  will  be
138              used.  The default value is the IPv4 address of the hostname re‐
139              turned by gethostname().  Failure to lookup the address will re‐
140              sult  in  an error; if overridden, the origin will be set to the
141              null address.
142
143       --pid-file path
144              Specify an alternate pathname for storing the Process ID of  the
145              daemon.
146
147       --seed-file path
148              Specify an alternate pathname to the PRNG seed file.
149
150       --syslog
151              Redirect  log  messages  to syslog when the daemon is running in
152              the background.
153
154       --trusted-group group
155              Specify the group name or GID of the "trusted group".   This  is
156              used  for  permission checks on a directory hierarchy.  Directo‐
157              ries with group write permissions are allowed if they are  owned
158              by the trusted group (or the sticky bit is set).
159
160

SIGNALS

162       SIGHUP Immediately  update  the  supplementary group membership mapping
163              instead of waiting for the next scheduled update;  this  mapping
164              is used when restricting credentials by GID.
165
166       SIGTERM
167              Terminate the daemon.
168
169
170

NOTES

172       All clocks within a security realm must be kept in sync within the cre‐
173       dential time-to-live setting.
174
175       While munged prevents a given credential from being decoded on  a  par‐
176       ticular  host  more than once, nothing prevents a credential from being
177       decoded on multiple hosts within the security realm before it expires.
178
179

AUTHOR

181       Chris Dunlap <cdunlap@llnl.gov>
182
183
185       Copyright (C) 2007-2022 Lawrence Livermore National Security, LLC.
186       Copyright (C) 2002-2007 The Regents of the University of California.
187
188       MUNGE is free software: you can redistribute it and/or modify it  under
189       the  terms  of  the GNU General Public License as published by the Free
190       Software Foundation, either version 3 of the License, or (at  your  op‐
191       tion) any later version.
192
193       Additionally  for the MUNGE library (libmunge), you can redistribute it
194       and/or modify it under the terms of the GNU Lesser General  Public  Li‐
195       cense as published by the Free Software Foundation, either version 3 of
196       the License, or (at your option) any later version.
197
198

SEE ALSO

200       munge(1),    remunge(1),    unmunge(1),     munge(3),     munge_ctx(3),
201       munge_enum(3), munge(7), mungekey(8).
202
203       https://dun.github.io/munge/
204
205
206
207munge-0.5.15                      2022-06-22                         MUNGED(8)
Impressum