Merge pull request #2291 from h2zh/drop-privs-dirs-fix

jhiemstrawisc · web-flow · commit 4f19c5767e76 · 2025-06-11T12:27:43.000-05:00
Handle directories permission denied error in drop privs mode
diff --git a/cmd/generate_password.go b/cmd/generate_password.go
@@ -33,6 +33,7 @@ import (
 	"github.com/tg123/go-htpasswd"
 	"golang.org/x/term"
 
+	"github.com/pelicanplatform/pelican/config"
 	"github.com/pelicanplatform/pelican/param"
 	"github.com/pelicanplatform/pelican/web_ui"
 )
@@ -122,6 +123,15 @@ func passwordMain(cmd *cobra.Command, args []string) error {
 	}
 	file.Close()
 
+	// chown the file to the pelican user
+	user, err := config.GetPelicanUser()
+	if err != nil {
+		return errors.Wrap(err, "no OS user found for pelican")
+	}
+	if err := os.Chown(outPasswordPath, user.Uid, user.Gid); err != nil {
+		return errors.Wrapf(err, "failed to set ownership on %s", outPasswordPath)
+	}
+
 	_, err = htpasswd.New(outPasswordPath, []htpasswd.PasswdParser{htpasswd.AcceptBcrypt}, nil)
 	if err != nil {
 		return err
diff --git a/config/config.go b/config/config.go
@@ -1368,7 +1368,9 @@ func InitServer(ctx context.Context, currentServers server_structs.ServerType) e
 		// Set up the directories for the server to run as a non-root user;
 		// for the most part, we need to recursively chown and chmod the directory
 		// so either root or pelican can access it.
-		pelicanLocations := []string{}
+		pelicanLocations := []string{
+			param.Server_DbLocation.GetString(),
+		}
 		if currentServers.IsEnabled(server_structs.RegistryType) {
 			pelicanLocations = append(pelicanLocations, param.Registry_DbLocation.GetString())
 		}
@@ -1390,8 +1392,17 @@ func InitServer(ctx context.Context, currentServers server_structs.ServerType) e
 			return errors.Wrap(err, "failure when setting up the file permissions for pelican")
 		}
 
+		pelicanLocationsSingleFiles := []string{
+			param.Server_UIPasswordFile.GetString(),
+			param.IssuerKey.GetString(), // Backward compatibility for legacy key file
+		}
+		if err = setFilePerms(pelicanLocationsSingleFiles, 0640, puser.Uid, 0); err != nil {
+			return errors.Wrap(err, "failure when setting up the file permissions for pelican")
+		}
+
 		pelicanDirs := []string{
 			param.Monitoring_DataLocation.GetString(),
+			param.IssuerKeysDirectory.GetString(),
 		}
 		if currentServers.IsEnabled(server_structs.LocalCacheType) {
 			pelicanDirs = append(pelicanDirs, param.LocalCache_RunLocation.GetString())
diff --git a/config/init_server_creds.go b/config/init_server_creds.go
@@ -671,6 +671,7 @@ func loadPEMFiles(dir string) (jwk.Key, error) {
 func GeneratePEM(dir string) (key jwk.Key, err error) {
 	var fname string
 	var keyFile *os.File
+
 	if dir == "" {
 		issuerKeyLocation := param.IssuerKey.GetString()
 		if issuerKeyLocation == "" {
@@ -685,8 +686,7 @@ func GeneratePEM(dir string) (key jwk.Key, err error) {
 			return
 		}
 	} else {
-		// Generate a unique filename using a POSIX mkstemp-like logic
-		// Create a temp file, store its filename, then immediately delete this temp file
+		// Generate a unique filename
 		filenamePattern := fmt.Sprintf("pelican_generated_%d_*.pem",
 			time.Now().UnixNano())
 		if err = createDirForKeys(dir); err != nil {
@@ -695,14 +695,23 @@ func GeneratePEM(dir string) (key jwk.Key, err error) {
 		}
 		keyFile, err = os.CreateTemp(dir, filenamePattern)
 		if err != nil {
-			err = errors.Wrap(err, "failed to remove temp file")
+			err = errors.Wrap(err, "failed to create private key file")
 			return
 		}
 		fname = keyFile.Name()
 		log.Debugln("Generating new private key in the IssuerKeys directory at", fname)
 	}
 	defer keyFile.Close()
 
+	user, err := GetPelicanUser()
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to get pelican user for setting ownership")
+	}
+
+	if err = SetOwnershipAndPermissions(fname, 0640, user); err != nil {
+		return nil, errors.Wrapf(err, "failed to set ownership and permissions for %s", fname)
+	}
+
 	if err = generatePrivateKeyToFile(keyFile, elliptic.P256()); err != nil {
 		return nil, errors.Wrapf(err, "failed to generate private key in file %s", fname)
 	}
diff --git a/config/mkdirall.go b/config/mkdirall.go
@@ -28,6 +28,28 @@ import (
 	"github.com/pkg/errors"
 )
 
+// Apply the given permission bits and ownership to path in a cross-platform way.
+//   - On Windows it runs “icacls path /grant username:F”
+//   - On Linux/macOS it does os.Chmod(path, perm) then os.Chown(path, uid, gid)
+func SetOwnershipAndPermissions(path string, perm os.FileMode, user User) error {
+	if runtime.GOOS == "windows" {
+		cmd := exec.Command("icacls", path, "/grant", user.Username+":F")
+		if out, err := cmd.CombinedOutput(); err != nil {
+			return errors.Wrapf(err, "unable to modify ACLs on %q: %s", path, string(out))
+		}
+		return nil
+	}
+
+	// Assume macOS or Linux
+	if err := os.Chmod(path, perm); err != nil {
+		return errors.Wrapf(err, "unable to chmod %q to %v", path, perm)
+	}
+	if err := os.Chown(path, user.Uid, user.Gid); err != nil {
+		return errors.Wrapf(err, "unable to chown %q to %d:%d", path, user.Uid, user.Gid)
+	}
+	return nil
+}
+
 // This is the pelican version of `MkdirAll`; ensures that any created directory
 // is owned by a given uid/gid.  This allows the created directory to be owned by
 // the xrootd user.
@@ -76,26 +98,29 @@ func MkdirAll(path string, perm os.FileMode, uid int, gid int) error {
 	}
 
 	// Set ownership on the directory that we just created.
-	if runtime.GOOS == "windows" {
-		username, err := GetDaemonUser() // FIXME (brianaydemir): This is not the correct user.
-		if err != nil {
-			return err
-		}
-		cmd := exec.Command("icacls", path, "/grant", username+":F")
-		output, err := cmd.CombinedOutput()
-		if err != nil {
-			return errors.Wrapf(err, "unable to modify discretionary ACLs on directory %v: %s", path, string(output))
+	user, err := GetPelicanUser()
+	if err != nil {
+		return errors.Wrap(err, "failed to get pelican user")
+	}
+	if err = SetOwnershipAndPermissions(path, perm, User{Uid: uid, Gid: gid, Username: user.Username}); err != nil {
+		return errors.Wrapf(err, "failed to set ownership and permissions for %s", path)
+	}
+	return nil
+}
+
+// Set the permissions on the targeted file only if it exists. Doesn't care about its parent or siblings
+func setFilePerms(paths []string, perm os.FileMode, uid int, gid int) error {
+	for _, path := range paths {
+		// Skip the file if it doesn't exist
+		if _, err := os.Stat(path); os.IsNotExist(err) {
+			continue
 		}
-	} else { // Assume macOS or Linux.
-		// Any default system umask may prevent previous application of the permissions
-		// from taking effect. To override this, set the permissions explicitly
-		// after creation.
-		if err = os.Chmod(path, perm); err != nil {
-			return errors.Wrapf(err, "unable to chmod on directory %v to %v", path, perm)
+		// Set the permissions on the file
+		if err := os.Chmod(path, perm); err != nil {
+			return errors.Wrapf(err, "failed to set permissions on file %v", path)
 		}
-
-		if err = os.Chown(path, uid, gid); err != nil {
-			return errors.Wrapf(err, "unable to chown on directory %v to %v:%v", path, uid, gid)
+		if err := os.Chown(path, uid, gid); err != nil {
+			return errors.Wrapf(err, "failed to chown file %v", path)
 		}
 	}
 	return nil
diff --git a/xrootd/authorization.go b/xrootd/authorization.go
@@ -169,6 +169,41 @@ func writeScitokensConfiguration(modules server_structs.ServerType, cfg *Scitoke
 		Funcs(template.FuncMap{"StringsJoin": strings.Join, "JSONify": JSONify}).
 		Parse(scitokensCfgTemplate))
 
+	// If Pelican is run by unprivileged user, we use xrdhttp-pelican plugin to make sure the final scitokens.cfg file is owned by xrootd
+	if param.Server_DropPrivileges.GetBool() {
+		// Create a temporary file to assemble the scitokens configuration
+		tempCfgFile, err := os.CreateTemp("", "scitokens-generated-*.cfg.tmp")
+		if err != nil {
+			return errors.Wrapf(err, "failed to create a temporary scitokens file %s", tempCfgFile.Name())
+		} else {
+			log.Debugln("Created temporary scitokens config file", tempCfgFile.Name())
+		}
+		defer func() {
+			tempCfgFile.Close()
+			os.Remove(tempCfgFile.Name())
+		}()
+		deduplicateBasePaths(cfg)
+		err = templ.Execute(tempCfgFile, cfg)
+		if err != nil {
+			return errors.Wrapf(err, "unable to create scitokens.cfg template")
+		}
+		// After writing configuration to the file, the file pointer remains at the end.
+		// Seek back to the beginning of the file so that the copy operation reads from the start.
+		if _, err := tempCfgFile.Seek(0, io.SeekStart); err != nil {
+			return errors.Wrap(err, "failed to seek to beginning of the file")
+		}
+
+		// Use command "7" in xrdhttp-pelican plugin to transplant the scitoken config file to a
+		// directory owned by xrootd. The directory is specified in `xrootd/launch.go`. This is because
+		// the xrootd daemon will periodically reload the scitokens.cfg and, in some cases, we may
+		// want to update it without restarting the server.
+		if err = FileCopyToXrootdDir(modules.IsEnabled(server_structs.OriginType), 7, tempCfgFile); err != nil {
+			return errors.Wrap(err, "failed to copy the scitokens config file to the xrootd directory")
+		}
+
+		return nil
+	}
+
 	gid, err := config.GetDaemonGID()
 	if err != nil {
 		return err
@@ -366,6 +401,37 @@ func EmitAuthfile(server server_structs.XRootDServer) error {
 		}
 	}
 
+	// If Pelican is run by unprivileged user, we use xrdhttp-pelican plugin to make sure the final authfile is owned by xrootd
+	if param.Server_DropPrivileges.GetBool() {
+		// Create a temporary authfile
+		tempAuthFile, err := os.CreateTemp("", "temp-authfile-generated-*")
+		if err != nil {
+			return errors.Wrapf(err, "failed to create a generated temporary authfile %s", tempAuthFile.Name())
+		} else {
+			log.Debugln("Created temporary authfile", tempAuthFile.Name())
+		}
+		defer func() {
+			tempAuthFile.Close()
+			os.Remove(tempAuthFile.Name())
+		}()
+		if _, err := output.WriteTo(tempAuthFile); err != nil {
+			return errors.Wrapf(err, "failed to write to generated authfile %v", tempAuthFile.Name())
+		}
+		// After writing content to the file, the file pointer remains at the end.
+		// Seek back to the beginning of the file so that the copy operation reads from the start.
+		if _, err := tempAuthFile.Seek(0, io.SeekStart); err != nil {
+			return errors.Wrap(err, "failed to seek to beginning of the file")
+		}
+
+		// Transplant the authfile using the xrdhttp-pelican plugin so xrootd can access it.
+		// Command "6" instructs the plugin to put the auth file into the designated location owned by "xrootd" user,
+		// which is specified in `xrootd/launch.go`.
+		if err = FileCopyToXrootdDir(server.GetServerType().IsEnabled(server_structs.OriginType), 6, tempAuthFile); err != nil {
+			return errors.Wrap(err, "failed to copy the auth file to the xrootd directory")
+		}
+		return nil
+	}
+
 	gid, err := config.GetDaemonGID()
 	if err != nil {
 		return err
diff --git a/xrootd/launch.go b/xrootd/launch.go
@@ -165,6 +165,19 @@ func makeUnprivilegedXrootdLauncher(daemonName string, configPath string, isCach
 		testFileCinfoLocation := filepath.Join(basePath, "self-test-cache-server.txt.cinfo")
 		result.ExtraEnv = append(result.ExtraEnv, "XRDHTTP_PELICAN_CACHE_SELF_TEST_FILE="+testFileLocation)
 		result.ExtraEnv = append(result.ExtraEnv, "XRDHTTP_PELICAN_CACHE_SELF_TEST_FILE_CINFO="+testFileCinfoLocation)
+
+		xrootdRun := param.Origin_RunLocation.GetString()
+		authFileName := "authfile-origin-generated"
+		scitokensCfgFileName := "scitokens-origin-generated.cfg"
+		if isCache {
+			xrootdRun = param.Cache_RunLocation.GetString()
+			authFileName = "authfile-cache-generated"
+			scitokensCfgFileName = "scitokens-cache-generated.cfg"
+		}
+		authPath := filepath.Join(xrootdRun, authFileName)
+		configPath := filepath.Join(xrootdRun, scitokensCfgFileName)
+		result.ExtraEnv = append(result.ExtraEnv, "XRDHTTP_PELICAN_AUTHFILE_GENERATED="+authPath)
+		result.ExtraEnv = append(result.ExtraEnv, "XRDHTTP_PELICAN_SCITOKENS_GENERATED="+configPath)
 	}
 	return
 }
diff --git a/xrootd/self_monitor.go b/xrootd/self_monitor.go
@@ -236,18 +236,17 @@ func generateTestFileViaPlugin() (string, error) {
 	// Transplant the test file to selfTestDir using the xrdhttp-pelican plugin.
 	// Command "4" instructs the plugin to put the test file into the designated location, which is specified in `xrootd/launch.go`.
 	// Check `src/XrdHttpPelican.cc` in https://github.com/PelicanPlatform/xrdhttp-pelican for the counterpart in the plugin.
-	if err = SelfTestFileCopy(4, file); err != nil {
+	if err = FileCopyToXrootdDir(false, 4, file); err != nil {
 		return "", errors.Wrap(err, "failed to copy the test file to the self-test directory")
 	}
 	// Transplant the cinfo file to selfTestDir using the xrdhttp-pelican plugin.
 	// Command "5" instructs the plugin to put the cinfo file into the designated location, which is specified in `xrootd/launch.go`.
-	if err = SelfTestFileCopy(5, cinfoFile); err != nil {
+	if err = FileCopyToXrootdDir(false, 5, cinfoFile); err != nil {
 		return "", errors.Wrap(err, "failed to copy the test cinfo file to the self-test directory")
 	}
 
 	// Construct and return the URL of the copied test file in the selfTestDir
-	cachePort := param.Cache_Port.GetInt()
-	baseUrlStr := fmt.Sprintf("https://%s:%d", param.Server_Hostname.GetString(), cachePort)
+	baseUrlStr := fmt.Sprintf("https://%s:%d", param.Server_Hostname.GetString(), param.Cache_Port.GetInt())
 	baseUrl, err := url.Parse(baseUrlStr)
 	if err != nil {
 		return "", errors.Wrap(err, "failed to validate the base url for self-test download")
diff --git a/xrootd/xrootd_config.go b/xrootd/xrootd_config.go
@@ -611,10 +611,10 @@ func copyXrootdCertificates(server server_structs.XRootDServer) error {
 	return nil
 }
 
-func SelfTestFileCopy(cmd int, file *os.File) error {
-	log.Debug("Transplanting a self-test file")
-	if err := sendChildFD(false, cmd, file); err != nil {
-		return errors.Wrap(err, "Failed to copy the self-test file via FD")
+func FileCopyToXrootdDir(isOrigin bool, cmd int, file *os.File) error {
+	log.Debugf("Transplanting file %s to a directory owned by the xrootd process", file.Name())
+	if err := sendChildFD(isOrigin, cmd, file); err != nil {
+		return errors.Wrapf(err, "Failed to copy the file %s via FD", file.Name())
 	}
 	return nil
 }
@@ -633,6 +633,14 @@ func dropPrivilegeCopy(server server_structs.XRootDServer) error {
 		destination = filepath.Join(param.Cache_RunLocation.GetString(), "pelican")
 	}
 	destination = filepath.Join(destination, "copied-tls-creds.crt")
+
+	// If the file already exists, delete it so that OpenFile will create a new one.
+	// Because the destination file is read-only (0400), user cannot update it (os.O_TRUNC will hit an permission denied error).
+	err := os.Remove(destination)
+	if err != nil && !os.IsNotExist(err) {
+		return errors.Wrapf(err, "Failure when removing existing certificate key pair file for xrootd")
+	}
+
 	destFile, err := os.OpenFile(destination, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, fs.FileMode(0400))
 	if err != nil {
 		return errors.Wrap(err, "Failure when opening certificate key pair file to pass to xrootd")
