When you use glexec with transient directories and input sandboxes, it's important that you create a writable directory for your target job, and you do this in a safe and portable way.
In general, the setup of the batch system and OS at a site does not guarantee that the pilot job and the target user share a common group, even though in practice the 'top-level' VO group will usually be in common. However, it's not easy to identity this most-generic group. In these cases, you need to do two things:
- Create a temporary directory for the target job using glexec. We provide a proof-of-principle implementation on how to create such a directory, and clean up after yourself at https://ndpfsvn.nikhef.nl/cgi-bin/viewvc.cgi/pdpsoft/trunk/grid-mw-security/glexec/util/mkgltempdir/. It will usually be inside a temporary, transient area specific to the pilot job.
- ensure that this directory is reachable for the target job. This may mean making the 'upstream' directory traversable (not but necessarily readable) by the world.