Skip to content

Validate filesystem perms against namespace capabilities for posix origins #2881

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
h2zh wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Validate filesystem perms against namespace capabilities for posix origins #2881

h2zh wants to merge 2 commits into from

Conversation

@h2zh
Copy link
Contributor

@h2zh h2zh commented Dec 16, 2025

Check if the xrootd user has the required filesystem permissions for the configured capabilities

  • Read+execute permissions for Reads, PublicReads, and Listings capabilities
  • Write+execute permissions for Writes capability
  • Also require storage prefix exists and is a directory

Also update tests to replace made-up storage prefixes with temp directories that have proper permissions, because:

  • Tests run as root, but the permission check simulates what the xrootd daemon user would have. Since xrootd is neither the owner nor in root's group, it falls into the "Others" category. Setting 0777 ensures the "others" bits grant full access (rwx).

h2zh added 2 commits December 15, 2025 22:20
@h2zh
Check if the xrootd user has the required filesystem permissions for …
b63c1df 
…the configured capabilities

-  Read+execute permissions for Reads, PublicReads, and Listings capabilities
- Write+execute permissions for Writes capability
- Also require storage prefix exists and is a directory
@h2zh
Update tests
307ca00 
Replace made-up storage prefixes with temp directories that have proper permissions, because:
Tests run as root, but the permission check simulates what the xrootd daemon user would have. Since xrootd is neither the owner nor in root's group, it falls into the "Others" category. Setting 0777 ensures the "others" bits grant full access (rwx).
@h2zh h2zh added this to the v7.23 milestone Dec 16, 2025
@h2zh h2zh added enhancement New feature or request origin Issue relating to the origin component labels Dec 16, 2025
@h2zh h2zh linked an issue Dec 16, 2025 that may be closed by this pull request
Try to validate fs permissions against ns capabilities for posix origins #2200
Open
@h2zh h2zh marked this pull request as draft December 16, 2025 22:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@turetske turetske Awaiting requested review from turetske

@jhiemstrawisc jhiemstrawisc Awaiting requested review from jhiemstrawisc

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

enhancement New feature or request origin Issue relating to the origin component

Projects

None yet

Milestone

v7.23

Development

Successfully merging this pull request may close these issues.

Try to validate fs permissions against ns capabilities for posix origins

1 participant

@h2zh