oracular (8) memlockd.8.gz

Provided by: memlockd_1.3.1-2_amd64 bug

NAME

       memlockd - daemon to lock files in memory with mlock

SYNOPSIS

       memlockd [ -c config-file ] [ -d ] [ -f ] [ -u user ]

DESCRIPTION

       This manual page documents briefly the memlockd command.

       It  is  used to lock system programs and config files in memory so that if a DOS attack is
       experienced then the chance of  the  sys-admin  regaining  control  of  the  system  in  a
       reasonable  amount  of  time  (and therefore having a reasonable chance of discovering the
       cause of the problem) is significantly increased.

OPTIONS

       The -c option is used to specify the fully-qualified path name to a config file that lists
       the  names  of  files to lock, if the config file is not specified then it will default to
       /etc/memlockd.cfg. In any situation where a config file is used a directory  can  be  used
       instead, for a directory every file ending in ".cfg" will be processed.

       The  -d  option  specifies debugging mode, the program will not fork and will produce it's
       logging messages on stderr instead of via syslog.

       The -f option specifies foreground (non-daemon) mode, the program will not fork  but  will
       still log normally.

       The  -u  option  specifies  the  name  of  a  user  to  use for running ldd (for recursive
       operation).  Note that locking shared objects that are writable by non-root is  not  safe,
       but using a different UID will reduce the risk.

       The  config  file  will contain a number of fully qualified names of files to lock in RAM.
       When locking shared objects and ELF binaries it is possible to prefix the file name with a
       +  character to indicate that memlockd should recursively lock all shared objects that the
       program requires and all shared objects that those objects require. When a file not  found
       error doesn't matter (EG you want a single config file to have the file names for multiple
       architectures or systems) you can prefix the file name with a ?  character, in  that  case
       errors such as EPERM will still be logged.

       If  a  line in the config file starts with a % character it will be taken as the name of a
       config file or directory to process.  Currently only one level of recursion is accepted.

       SEE ALSO
              mlock(2), mmap(1).

AUTHOR

       memlockd was written by Russell Coker <russell@coker.com.au>

                                                                                      memlockd(8)