Multiuser read failures due to missing RuntimeDir traversal permissions

[brianhlin]

Pelican Version:

# pelican --version
Version: 7.8.2
Build Date: 2024-05-15T19:19:17Z
Build Commit: f10f7cadd559fdae158e7a3b32d649ef503fc2af
Built By: goreleaser

Pelican Service:

• [ ] Client
• [ ] Plugin
• [ ] Registry
• [ ] Director
• [X] Origin
• [ ] Cache
• [ ] Other (please give the detail)

Describe the bug When trying to read files from a Linux-based origin with the following config:

Origin:
  Multiuser: true
  ScitokensMapSubject: true

Users will get 403 forbidden permission denied issues because of missing read/execute bits on the RuntimeDir as only the xrootd user can traverse the dir structure:

ls -ld /run/{pelican/xrootd/origin/export,pelican/xrootd/origin,pelican/xrootd/,pelican}
drwx------ 3 xrootd xrootd  60 May  6 15:54 /run/pelican
drwx------ 3 xrootd xrootd  60 May  6 15:54 /run/pelican/xrootd/
drwx------ 9 xrootd xrootd 400 May 23 12:44 /run/pelican/xrootd/origin
drwxr-xr-x 5 xrootd xrootd 100 May 23 12:38 /run/pelican/xrootd/origin/export

@bbockelm says that XRootD is the culprit

[bbockelm]

See https://github.com/xrootd/xrootd/issues/2276 for a description of the problem.

I see two options:

1. After starting the XRootD daemon and waiting for it to initialize (we already do this), walk the directories and reset the permissions back to what we desire. This might be tough: we need to do this as the xrootd daemon so we only undo the damage xrootd has done.
2. Remove the xrootd ownership of /run/pelican to make it owned by root. Then, move the admin path into /run/pelican/xrootd-admin.

This gets ugly in unprivileged mode as xrootd will change the directory however it's run. Run xrootd as an unprivileged user inside your home? Bam -- new permission for your home directory!

[jhiemstrawisc]

@brianhlin reports this has been addressed in xrootd 5.7.1.