Attempting to access protected files in ligo.osgstorage.org mounted under cvmfsexec fails. The corresponding debug log message is:
This happens because the session id of all the processes running under cvmfsexec is zero, because the owner of the session is outside of the process namespace. Singularity does the same thing, although docker and podman make the session owner equal to the init process in their process namespace. I looked into making a separate session including looking at the code that podman uses, but it's terribly complicated. It would be much simpler to change the cvmfs code to use pid 1 if it sees pid 0.