Provided by: munge_0.5.10-1_i386 bug

NAME

       munged - MUNGE daemon

SYNOPSIS

       munged [OPTION]...

DESCRIPTION

       The munged daemon is responsible for authenticating local MUNGE clients
       and servicing their credential encode & decode  requests.   All  munged
       daemons  within  a security realm share a secret key.  This key is used
       to protect the contents of a credential.

       When  a  credential  is  created,  munged  embeds  metadata  within  it
       including  the  effective  UID  and  GID  of  the requesting client (as
       determined by munged) and the current time (as determined by the  local
       clock).  It then compresses the data, computes a message authentication
       code, encrypts the data, and base64-encodes the result before returning
       the credential to the client.

       When  a  credential  is  validated,  munged  first  checks  the message
       authentication code to ensure the credential has not been  subsequently
       altered.    Next,  it  checks  the  embedded  UID/GID  restrictions  to
       determine whether the requesting client is allowed to decode it.  Then,
       it  checks  the  embedded encode time against the current time; if this
       difference  exceeds  the  embedded  time-to-live,  the  credential  has
       expired.    Finally,   it  checks  whether  this  credential  has  been
       previously decoded on  this  host;  if  so,  the  credential  has  been
       replayed.   If all checks pass, the credential metadata and payload are
       returned to the client.

OPTIONS

       -h, --help
              Display a summary of the command-line options.

       -L, --license
              Display license information.

       -V, --version
              Display version information.

       -f, --force
              Force the daemon to run if  at  all  possible.   This  overrides
              warnings  for an existing local domain socket, a lack of entropy
              for the PRNG, and insecure file/directory permissions.

       -F, --foreground
              Run the daemon in the foreground.

       -S, --socket path
              Specify the local domain socket for communicating with clients.

       --auth-server-dir directory
              Specify an alternate directory in which the daemon  will  create
              the   pipe   used  to  authenticate  clients.   The  recommended
              permissions for this directory are 0711.  This  option  is  only
              valid  on platforms where client authentication is performed via
              a file-descriptor passing mechanism.

       --auth-client-dir directory
              Specify an alternate directory in which clients will create  the
              file  used  to  authenticate  themselves  to  the  daemon.   The
              recommended permissions  for  this  directory  are  1733.   This
              option is only valid on platforms where client authentication is
              performed via a file-descriptor passing mechanism.

       --group-check-mtime boolean
              Specify whether the modification time of  /etc/group  should  be
              checked  before  updating  the  supplementary  group  membership
              mapping.  If this value is non-zero, the check will  be  enabled
              and  the  mapping  will  not be updated unless the file has been
              modified since the last update.

       --group-update-time integer
              Specify  the  number  of  seconds   between   updates   to   the
              supplementary  group  membership  mapping;  this mapping is used
              when restricting credentials by GID.  A value of 0 causes it  to
              be  computed  initially but never updated (unless triggered by a
              SIGHUP).  A value of -1 causes it to be disabled.

       --key-file file
              Specify an alternate secret key file.

       --num-threads integer
              Specify the number of threads to spawn for processing credential
              requests.

SIGNALS

       SIGHUP Immediately  update  the  supplementary group membership mapping
              instead of waiting for the next scheduled update;  this  mapping
              is used when restricting credentials by GID.

       SIGTERM
              Terminate the daemon.

NOTES

       All  clocks  within  a  security  realm must be kept in sync within the
       credential time-to-live setting.

       While munged prevents a  given  credential  from  being  decoded  on  a
       particular  host  more  than  once,  nothing prevents a credential from
       being decoded on multiple hosts within the  security  realm  before  it
       expires.

AUTHOR

       Chris Dunlap <cdunlap@llnl.gov>

COPYRIGHT

       Copyright (C) 2007-2011 Lawrence Livermore National Security, LLC.
       Copyright (C) 2002-2007 The Regents of the University of California.

       MUNGE  is free software: you can redistribute it and/or modify it under
       the terms of the GNU General Public License as published  by  the  Free
       Software  Foundation,  either  version  3  of  the License, or (at your
       option) any later version.

       Additionally for the MUNGE library (libmunge), you can redistribute  it
       and/or  modify  it  under  the  terms  of the GNU Lesser General Public
       License as published by the Free Software Foundation, either version  3
       of the License, or (at your option) any later version.

SEE ALSO

       munge(1),     remunge(1),     unmunge(1),    munge(3),    munge_ctx(3),
       munge_enum(3), munge(7).

       http://munge.googlecode.com/