Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
MUNGED(8)		  MUNGE	Uid 'N'	Gid Emporium		     MUNGED(8)

NAME
       munged -	MUNGE daemon

SYNOPSIS
       munged [OPTION]...

DESCRIPTION
       The munged daemon is responsible	for authenticating local MUNGE clients
       and servicing their credential encode & decode requests.

       All  munged  daemons  within  a security	realm share a common key.  All
       hosts within this realm are expected  to	 have  common  users/UIDs  and
       groups/GIDs.   The key is used to cryptographically protect the creden-
       tials; it is created with the mungekey command.

       When a credential is created, munged embeds metadata within it  includ-
       ing  the	 effective UID and GID of the requesting client	(as determined
       by munged) and the current time (as determined by the local clock).  It
       then compresses the data, computes a message authentication  code,  en-
       crypts  the  data,  and	base64-encodes the result before returning the
       credential to the client.

       When a credential is validated, munged first checks the message authen-
       tication	code to	ensure the credential has not  been  subsequently  al-
       tered.	Next, it checks	the embedded UID/GID restrictions to determine
       whether the requesting client is	allowed	to decode it.  Then, it	checks
       the embedded encode time	against	the current time; if  this  difference
       exceeds	the  embedded  time-to-live,  the credential has expired.  Fi-
       nally, it checks	whether	this credential	has been previously decoded on
       this host; if so, the credential	has  been  replayed.   If  all	checks
       pass, the credential metadata and payload are returned to the client.

OPTIONS
       -h, --help
	      Display a	summary	of the command-line options.

       -L, --license
	      Display license information.

       -V, --version
	      Display version information.

       -f, --force
	      Force  the  daemon  to  run  if at all possible.	This overrides
	      warnings for an existing local domain socket, a lack of  entropy
	      for the PRNG, and	insecure file/directory	permissions.  Use with
	      caution as overriding these warnings can affect security.

       -F, --foreground
	      Run the daemon in	the foreground.

       -M, --mlockall
	      Lock  all	current	and future pages in the	virtual	memory address
	      space.  Access to	locked pages will never	be delayed by  a  page
	      fault.   This can	improve	performance and	help the daemon	remain
	      responsive when the system is under heavy	memory pressure.  This
	      typically	requires root privileges or the	CAP_IPC_LOCK  capabil-
	      ity.

       -s, --stop
	      Stop  the	 daemon	 bound	to  the	socket and wait	for it to shut
	      down.  Use with the --socket option to target a daemon bound  to
	      a	 non-default  socket  location.	 This option exits with	a zero
	      status if	the specified daemon was successfully  stopped,	 or  a
	      non-zero status otherwise.

       -S, --socket path
	      Specify the local	domain socket for communicating	with clients.

       -v, --verbose
	      Be verbose.

       --auth-server-dir directory
	      Specify  an  alternate directory in which	the daemon will	create
	      the pipe used to authenticate clients.  The recommended  permis-
	      sions for	this directory are 0711.  This option is only valid on
	      platforms	 where	client authentication is performed via a file-
	      descriptor passing mechanism.

       --auth-client-dir directory
	      Specify an alternate directory in	which clients will create  the
	      file  used to authenticate themselves to the daemon.  The	recom-
	      mended permissions for this directory are	1733.  This option  is
	      only valid on platforms where client authentication is performed
	      via a file-descriptor passing mechanism.

       --benchmark
	      Disable  recurring  timers  in  order to reduce some noise while
	      benchmarking.  This affects the PRNG entropy pool, supplementary
	      group mapping, and credential replay hash.  Do not  enable  this
	      option when running in production.

       --group-check-mtime boolean
	      Specify  whether	the  modification time of /etc/group should be
	      checked before updating the supplementary	group membership  map-
	      ping.   If this value is non-zero, the check will	be enabled and
	      the mapping will not be updated unless the file has  been	 modi-
	      fied since the last update.

       --group-update-time seconds
	      Specify  the number of seconds between updates to	the supplemen-
	      tary group membership mapping; this mapping  is  used  when  re-
	      stricting	credentials by GID.  A value of	0 causes it to be com-
	      puted  initially	but  never  updated  (unless  triggered	 by  a
	      SIGHUP).	A value	of -1 causes it	to be disabled.

       --key-file path
	      Specify an alternate pathname to the key file.

       --listen-backlog	integer
	      Specify the socket's listen backlog limit; note that the	kernel
	      may  impose  a  lower limit.  A value of 0 uses the software de-
	      fault.  A	value of -1 specifies SOMAXCONN,  the  maximum	listen
	      backlog queue length defined in <sys/socket.h>.

       --log-file path
	      Specify an alternate pathname to the log file.

       --max-ttl integer
	      Specify  the  maximum  allowable time-to-live value (in seconds)
	      for a credential.	 This setting has an  upper-bound  imposed  by
	      the  hard-coded MUNGE_MAXIMUM_TTL	value.	Reducing it will limit
	      the maximum growth of the	credential replay cache.  This is  vi-
	      able  if	clocks within the MUNGE	realm can be kept in sync with
	      minimal skew.

       --num-threads integer
	      Specify the number of threads to spawn for processing credential
	      requests.

       --origin	address
	      Specify the origin address that will be encoded into  credential
	      metadata.	  This	can be a hostname or IPv4 address; it can also
	      be the name of a local network  interface,  in  which  case  the
	      first  IPv4  address  found  assigned  to	that interface will be
	      used.  The default value is the IPv4 address of the hostname re-
	      turned by	gethostname().	Failure	to lookup the address will re-
	      sult in an error;	if overridden, the origin will be set  to  the
	      null address.

       --pid-file path
	      Specify  an alternate pathname for storing the Process ID	of the
	      daemon.

       --seed-file path
	      Specify an alternate pathname to the PRNG	seed file.

       --syslog
	      Redirect log messages to syslog when the daemon  is  running  in
	      the background.

       --trusted-group group
	      Specify  the  group name or GID of the "trusted group".  This is
	      used for permission checks on a directory	 hierarchy.   Directo-
	      ries  with group write permissions are allowed if	they are owned
	      by the trusted group (or the sticky bit is set).

SIGNALS
       SIGHUP Immediately update the supplementary  group  membership  mapping
	      instead  of  waiting for the next	scheduled update; this mapping
	      is used when restricting credentials by GID.

       SIGTERM
	      Terminate	the daemon.

NOTES
       All clocks within a security realm must be kept in sync within the cre-
       dential time-to-live setting.

       While munged prevents a given credential	from being decoded on  a  par-
       ticular	host  more than	once, nothing prevents a credential from being
       decoded on multiple hosts within	the security realm before it expires.

AUTHOR
       Chris Dunlap <cdunlap@llnl.gov>

COPYRIGHT
       Copyright (C) 2007-2024 Lawrence	Livermore National Security, LLC.
       Copyright (C) 2002-2007 The Regents of the University of	California.

       MUNGE is	free software: you can redistribute it and/or modify it	 under
       the  terms  of  the GNU General Public License as published by the Free
       Software	Foundation, either version 3 of	the License, or	(at  your  op-
       tion) any later version.

       Additionally  for the MUNGE library (libmunge), you can redistribute it
       and/or modify it	under the terms	of the GNU Lesser General  Public  Li-
       cense as	published by the Free Software Foundation, either version 3 of
       the License, or (at your	option)	any later version.

SEE ALSO
       munge(1),     remunge(1),     unmunge(1),    munge(3),	 munge_ctx(3),
       munge_enum(3), munge(7),	mungekey(8).

       https://github.com/dun/munge

munge-0.5.16			  2024-03-15			     MUNGED(8)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=munged&sektion=8&manpath=FreeBSD+Ports+14.3.quarterly>

home | help