diff --git a/config/config.go b/config/config.go
index 6f68cd332..be9a4397d 100644
--- a/config/config.go
+++ b/config/config.go
@@ -1251,13 +1251,65 @@ func InitServer(ctx context.Context, currentServers server_structs.ServerType) e
 		if !param.Cache_RunLocation.IsSet() && !param.Origin_RunLocation.IsSet() && param.Xrootd_RunLocation.IsSet() {
 			return errors.New("Xrootd.RunLocation is set, but both modules are enabled. Please set Cache.RunLocation and Origin.RunLocation or disable Xrootd.RunLocation so the default location can be used.")
 		}
+	} else if param.Server_DropPrivileges.GetBool() {
+		puser, err := GetPelicanUser()
+		if err != nil {
+			return errors.Wrapf(err, "set to drop privileges but no target OS username found for %s", param.Server_UnprivilegedUser.GetString())
+		}
+		// Set up the directories for the server to run as a non-root user;
+		// for the most part, we need to recursively chown and chmod the directory
+		// so either root or pelican can access it.
+		pelicanLocations := []string{}
+		if currentServers.IsEnabled(server_structs.RegistryType) {
+			pelicanLocations = append(pelicanLocations, param.Registry_DbLocation.GetString())
+		}
+		if currentServers.IsEnabled(server_structs.OriginType) {
+			pelicanLocations = append(pelicanLocations, param.Origin_DbLocation.GetString())
+		}
+		if currentServers.IsEnabled(server_structs.DirectorType) {
+			pelicanLocations = append(pelicanLocations, param.Director_DbLocation.GetString(), param.Director_GeoIPLocation.GetString())
+		}
+		if err = setFileAndDirPerms(pelicanLocations, 0750, 0640, puser.Uid, 0, true); err != nil {
+			return errors.Wrap(err, "failure when setting up the file permissions for pelican")
+		}
+
+		pelicanLocationsNoRecursive := []string{}
+		if (currentServers.IsEnabled(server_structs.OriginType) || currentServers.IsEnabled(server_structs.CacheType)) && param.Shoveler_Enable.GetBool() {
+			pelicanLocationsNoRecursive = append(pelicanLocationsNoRecursive, param.Shoveler_AMQPTokenLocation.GetString())
+		}
+		if err = setFileAndDirPerms(pelicanLocationsNoRecursive, 0750, 0640, puser.Uid, 0, false); err != nil {
+			return errors.Wrap(err, "failure when setting up the file permissions for pelican")
+		}
+
+		pelicanDirs := []string{
+			param.Monitoring_DataLocation.GetString(),
+		}
+		if currentServers.IsEnabled(server_structs.LocalCacheType) {
+			pelicanDirs = append(pelicanDirs, param.LocalCache_RunLocation.GetString())
+		}
+		if currentServers.IsEnabled(server_structs.CacheType) && param.Cache_EnableLotman.GetBool() {
+			pelicanDirs = append(pelicanDirs, param.Lotman_LotHome.GetString(), param.Lotman_DbLocation.GetString())
+		}
+		if (currentServers.IsEnabled(server_structs.OriginType) || currentServers.IsEnabled(server_structs.CacheType)) && param.Shoveler_Enable.GetBool() {
+			pelicanDirs = append(pelicanDirs, param.Shoveler_QueueDirectory.GetString())
+		}
+		if currentServers.IsEnabled(server_structs.OriginType) {
+			pelicanDirs = append(pelicanDirs, param.Origin_GlobusConfigLocation.GetString())
+		}
+		if err = setDirPerms(pelicanDirs, 0750, 0640, puser.Uid, puser.Gid, true); err != nil {
+			return errors.Wrap(err, "failure when setting up the directory permissions for pelican")
+		}
 	}
 
-	if err := os.MkdirAll(param.Monitoring_DataLocation.GetString(), 0750); err != nil {
+	user, err := GetPelicanUser()
+	if err != nil {
+		return errors.Wrap(err, "no OS user found for pelican")
+	}
+	if err := MkdirAll(param.Monitoring_DataLocation.GetString(), 0750, user.Uid, user.Gid); err != nil {
 		return errors.Wrapf(err, "failure when creating a directory for the monitoring data")
 	}
 
-	if err := os.MkdirAll(param.Shoveler_QueueDirectory.GetString(), 0750); err != nil {
+	if err := MkdirAll(param.Shoveler_QueueDirectory.GetString(), 0750, user.Uid, user.Gid); err != nil {
 		return errors.Wrapf(err, "failure when creating a directory for the shoveler on-disk queue")
 	}
 	if currentServers.IsEnabled(server_structs.OriginType) {
diff --git a/config/init_server_creds.go b/config/init_server_creds.go
index e2b30259e..8894ee9f4 100644
--- a/config/init_server_creds.go
+++ b/config/init_server_creds.go
@@ -189,20 +189,7 @@ func GeneratePrivateKey(keyLocation string, curve elliptic.Curve, allowRSA bool)
 	if keyLocation == "" {
 		return errors.New("failed to generate private key: key location is empty")
 	}
-	uid, err := GetDaemonUID()
-	if err != nil {
-		return err
-	}
-
-	gid, err := GetDaemonGID()
-	if err != nil {
-		return err
-	}
-	user, err := GetDaemonUser()
-	if err != nil {
-		return err
-	}
-	groupname, err := GetDaemonGroup()
+	user, err := GetPelicanUser()
 	if err != nil {
 		return err
 	}
@@ -222,7 +209,7 @@ func GeneratePrivateKey(keyLocation string, curve elliptic.Curve, allowRSA bool)
 	log.Warningf("Will generate a new private key at location: %v", keyLocation)
 
 	keyDir := filepath.Dir(keyLocation)
-	if err := MkdirAll(keyDir, 0750, -1, gid); err != nil {
+	if err := MkdirAll(keyDir, 0750, -1, user.Gid); err != nil {
 		return err
 	}
 	// In this case, the private key file doesn't exist.
@@ -235,16 +222,16 @@ func GeneratePrivateKey(keyLocation string, curve elliptic.Curve, allowRSA bool)
 	// Windows does not have "chown", has to work differently
 	currentOS := runtime.GOOS
 	if currentOS == "windows" {
-		cmd := exec.Command("icacls", keyLocation, "/grant", user+":F")
+		cmd := exec.Command("icacls", keyLocation, "/grant", user.Username+":F")
 		output, err := cmd.CombinedOutput()
 		if err != nil {
 			return errors.Wrapf(err, "Failed to chown generated key %v to daemon group %v: %s",
-				keyLocation, groupname, string(output))
+				keyLocation, user.Groupname, string(output))
 		}
 	} else { // Else we are running on linux/mac
-		if err = os.Chown(keyLocation, uid, gid); err != nil {
+		if err = os.Chown(keyLocation, user.Uid, user.Gid); err != nil {
 			return errors.Wrapf(err, "Failed to chown generated key %v to daemon group %v",
-				keyLocation, groupname)
+				keyLocation, user.Groupname)
 		}
 	}
 
@@ -273,15 +260,7 @@ func generatePrivateKeyToFile(file *os.File, curve elliptic.Curve) error {
 // for non-production environment so that we can use the private key of the CA
 // to sign the host certificate
 func GenerateCACert() error {
-	gid, err := GetDaemonGID()
-	if err != nil {
-		return err
-	}
-	groupname, err := GetDaemonGroup()
-	if err != nil {
-		return err
-	}
-	user, err := GetDaemonUser()
+	user, err := GetPelicanUser()
 	if err != nil {
 		return err
 	}
@@ -306,7 +285,7 @@ func GenerateCACert() error {
 
 	// No existing CA cert present, generate a new CA root certificate and private key
 	tlsCertDir := filepath.Dir(tlsCACert)
-	if err := MkdirAll(tlsCertDir, 0755, -1, gid); err != nil {
+	if err := MkdirAll(tlsCertDir, 0755, user.Uid, user.Gid); err != nil {
 		return err
 	}
 
@@ -364,16 +343,16 @@ func GenerateCACert() error {
 	// Windows does not have "chown", has to work differently
 	currentOS := runtime.GOOS
 	if currentOS == "windows" {
-		cmd := exec.Command("icacls", tlsCACert, "/grant", user+":F")
+		cmd := exec.Command("icacls", tlsCACert, "/grant", user.Username+":F")
 		output, err := cmd.CombinedOutput()
 		if err != nil {
 			return errors.Wrapf(err, "Failed to chown generated key %v to daemon group %v: %s",
-				tlsCACert, groupname, string(output))
+				tlsCACert, user.Groupname, string(output))
 		}
 	} else { // Else we are running on linux/mac
-		if err = os.Chown(tlsCACert, -1, gid); err != nil {
+		if err = os.Chown(tlsCACert, user.Uid, user.Gid); err != nil {
 			return errors.Wrapf(err, "Failed to chown generated key %v to daemon group %v",
-				tlsCACert, groupname)
+				tlsCACert, user.Groupname)
 		}
 	}
 
@@ -408,7 +387,7 @@ func LoadCertificate(certFile string) (*x509.Certificate, error) {
 		}
 	}
 	if cert == nil {
-		return nil, fmt.Errorf("Certificate file, %v, contains no certificate", certFile)
+		return nil, fmt.Errorf("certificate file, %v, contains no certificate", certFile)
 	}
 	return cert, nil
 }
@@ -416,15 +395,7 @@ func LoadCertificate(certFile string) (*x509.Certificate, error) {
 // Generate a TLS certificate (host certificate) and its private key
 // for non-production environment if the required TLS files are not present
 func GenerateCert() error {
-	gid, err := GetDaemonGID()
-	if err != nil {
-		return err
-	}
-	groupname, err := GetDaemonGroup()
-	if err != nil {
-		return err
-	}
-	user, err := GetDaemonUser()
+	user, err := GetPelicanUser()
 	if err != nil {
 		return err
 	}
@@ -483,7 +454,7 @@ func GenerateCert() error {
 	}
 
 	tlsCertDir := filepath.Dir(tlsCert)
-	if err := MkdirAll(tlsCertDir, 0755, -1, gid); err != nil {
+	if err := MkdirAll(tlsCertDir, 0755, user.Uid, user.Gid); err != nil {
 		return err
 	}
 
@@ -554,16 +525,16 @@ func GenerateCert() error {
 	// Windows does not have "chown", has to work differently
 	currentOS := runtime.GOOS
 	if currentOS == "windows" {
-		cmd := exec.Command("icacls", tlsCert, "/grant", user+":F")
+		cmd := exec.Command("icacls", tlsCert, "/grant", user.Username+":F")
 		output, err := cmd.CombinedOutput()
 		if err != nil {
 			return errors.Wrapf(err, "Failed to chown generated key %v to daemon group %v: %s",
-				tlsCert, groupname, string(output))
+				tlsCert, user.Groupname, string(output))
 		}
 	} else { // Else we are running on linux/mac
-		if err = os.Chown(tlsCert, -1, gid); err != nil {
+		if err = os.Chown(tlsCert, user.Uid, user.Gid); err != nil {
 			return errors.Wrapf(err, "Failed to chown generated key %v to daemon group %v",
-				tlsCert, groupname)
+				tlsCert, user.Groupname)
 		}
 	}
 
@@ -857,20 +828,7 @@ func GenerateSessionSecret() error {
 		return errors.New("Empty filename for Server_SessionSecretFile")
 	}
 
-	uid, err := GetDaemonUID()
-	if err != nil {
-		return err
-	}
-
-	gid, err := GetDaemonGID()
-	if err != nil {
-		return err
-	}
-	user, err := GetDaemonUser()
-	if err != nil {
-		return err
-	}
-	groupname, err := GetDaemonGroup()
+	user, err := GetPelicanUser()
 	if err != nil {
 		return err
 	}
@@ -891,7 +849,7 @@ func GenerateSessionSecret() error {
 		return errors.Wrap(err, "Failed to load session secret due to I/O error")
 	}
 	keyDir := filepath.Dir(secretLocation)
-	if err := MkdirAll(keyDir, 0750, -1, gid); err != nil {
+	if err := MkdirAll(keyDir, 0750, user.Uid, user.Gid); err != nil {
 		return err
 	}
 
@@ -904,16 +862,16 @@ func GenerateSessionSecret() error {
 	// Windows does not have "chown", has to work differently
 	currentOS := runtime.GOOS
 	if currentOS == "windows" {
-		cmd := exec.Command("icacls", secretLocation, "/grant", user+":F")
+		cmd := exec.Command("icacls", secretLocation, "/grant", user.Username+":F")
 		output, err := cmd.CombinedOutput()
 		if err != nil {
 			return errors.Wrapf(err, "Failed to chown generated session secret %v to daemon group %v: %s",
-				secretLocation, groupname, string(output))
+				secretLocation, user.Groupname, string(output))
 		}
 	} else { // Else we are running on linux/mac
-		if err = os.Chown(secretLocation, uid, gid); err != nil {
+		if err = os.Chown(secretLocation, user.Uid, user.Gid); err != nil {
 			return errors.Wrapf(err, "Failed to chown generated session secret %v to daemon group %v",
-				secretLocation, groupname)
+				secretLocation, user.Groupname)
 		}
 	}
 
diff --git a/config/mkdirall.go b/config/mkdirall.go
index fc6e035e7..934cddc59 100644
--- a/config/mkdirall.go
+++ b/config/mkdirall.go
@@ -21,6 +21,7 @@ package config
 import (
 	"os"
 	"os/exec"
+	"path/filepath"
 	"runtime"
 	"syscall"
 
@@ -101,3 +102,101 @@ func MkdirAll(path string, perm os.FileMode, uid int, gid int) error {
 	}
 	return nil
 }
+
+func setFileAndDirPerms(paths []string, dirPerm os.FileMode, perm os.FileMode, uid int, gid int, recursive bool) error {
+	dirs := map[string]bool{}
+	for _, path := range paths {
+		// Create the parent directory if it doesn't exist
+		dir := filepath.Dir(path)
+		err := MkdirAll(dir, dirPerm, uid, gid)
+		if err != nil {
+			return errors.Wrapf(err, "Failed to create directory %v", dir)
+		}
+		// Set the permissions on the parent directory
+		err = os.Chmod(dir, dirPerm)
+		if err != nil {
+			return errors.Wrapf(err, "Failed to set permissions on directory %v", dir)
+		}
+		if err = os.Chown(dir, uid, gid); err != nil {
+			return errors.Wrapf(err, "Failed to chown directory %v", dir)
+		}
+		if recursive {
+			dirs[dir] = true
+		}
+		// Skip the file if it doesn't exist
+		if _, err := os.Stat(path); os.IsNotExist(err) {
+			continue
+		}
+		// Set the permissions on the file
+		if err = os.Chmod(path, perm); err != nil {
+			return errors.Wrapf(err, "Failed to set permissions on file %v", path)
+		}
+		if err = os.Chown(path, uid, gid); err != nil {
+			return errors.Wrapf(err, "Failed to chown file %v", path)
+		}
+	}
+	// Set the permissions on all sub-directories, when recursive is set to true
+	for dir := range dirs {
+		if err := filepath.WalkDir(dir, func(path string, d os.DirEntry, err error) error {
+			if err != nil {
+				return err
+			}
+			itemPerm := perm
+			if d.IsDir() {
+				itemPerm = dirPerm
+			}
+			if err = os.Chmod(path, itemPerm); err != nil {
+				return errors.Wrapf(err, "Failed to set permissions on directory %v", path)
+			}
+			if err = os.Chown(path, uid, gid); err != nil {
+				return errors.Wrapf(err, "Failed to chown directory %v", path)
+			}
+			return nil
+		}); err != nil {
+			return errors.Wrapf(err, "Failed to walk directory %v", dir)
+		}
+	}
+	return nil
+}
+
+func setDirPerms(paths []string, dirPerm os.FileMode, perm os.FileMode, uid int, gid int, recursive bool) error {
+	dirs := map[string]bool{}
+	for _, path := range paths {
+		if path == "" {
+			continue
+		}
+		dirs[path] = true
+	}
+	for dir := range dirs {
+		err := MkdirAll(dir, dirPerm, uid, gid)
+		if err != nil {
+			return errors.Wrapf(err, "Failed to create directory %v", dir)
+		}
+		err = os.Chmod(dir, dirPerm)
+		if err != nil {
+			return errors.Wrapf(err, "Failed to set permissions on directory %v", dir)
+		}
+		if err = os.Chown(dir, uid, gid); err != nil {
+			return errors.Wrapf(err, "Failed to chown directory %v", dir)
+		}
+		if err := filepath.WalkDir(dir, func(path string, d os.DirEntry, err error) error {
+			if err != nil {
+				return err
+			}
+			itemPerm := perm
+			if d.IsDir() {
+				itemPerm = dirPerm
+			}
+			if err = os.Chmod(path, itemPerm); err != nil {
+				return errors.Wrapf(err, "Failed to set permissions on directory %v", path)
+			}
+			if err = os.Chown(path, uid, gid); err != nil {
+				return errors.Wrapf(err, "Failed to chown directory %v", path)
+			}
+			return nil
+		}); err != nil {
+			return errors.Wrapf(err, "Failed to walk directory %v", dir)
+		}
+	}
+	return nil
+}
diff --git a/config/privs.go b/config/privs.go
index d9e67ba39..8d306b76d 100644
--- a/config/privs.go
+++ b/config/privs.go
@@ -24,8 +24,11 @@ import (
 	"runtime"
 	"strconv"
 	"strings"
+	"sync"
 
 	"github.com/pkg/errors"
+
+	"github.com/pelicanplatform/pelican/param"
 )
 
 type User struct {
@@ -40,8 +43,11 @@ type User struct {
 var (
 	isRootExec bool
 
-	xrootdUser User
-	oa4mpUser  User
+	xrootdUser  User
+	oa4mpUser   User
+	pelicanUser User
+
+	pelicanOnce sync.Once
 )
 
 func init() {
@@ -50,16 +56,20 @@ func init() {
 
 	xrootdUser = newUser()
 	oa4mpUser = newUser()
+	pelicanUser = newUser()
 
 	if isRootExec {
 		xrootdUser = initUserObject("xrootd", nil)
 		oa4mpUser = initUserObject("tomcat", nil)
+		pelicanUser = initUserObject("root", nil)
 	} else if err != nil {
 		xrootdUser.err = err
 		oa4mpUser.err = err
+		pelicanUser.err = err
 	} else {
 		xrootdUser = initUserObject(userObj.Username, userObj)
 		oa4mpUser = initUserObject(userObj.Username, userObj)
+		pelicanUser = initUserObject(userObj.Username, userObj)
 	}
 }
 
@@ -177,3 +187,12 @@ func GetDaemonGroup() (string, error) {
 func GetOA4MPUser() (User, error) {
 	return oa4mpUser, oa4mpUser.err
 }
+
+func GetPelicanUser() (User, error) {
+	pelicanOnce.Do(func() {
+		if param.Server_DropPrivileges.GetBool() {
+			pelicanUser = initUserObject(param.Server_UnprivilegedUser.GetString(), nil)
+		}
+	})
+	return pelicanUser, pelicanUser.err
+}
diff --git a/config/resources/defaults.yaml b/config/resources/defaults.yaml
index f39c50d57..786ed779c 100644
--- a/config/resources/defaults.yaml
+++ b/config/resources/defaults.yaml
@@ -28,6 +28,7 @@ Server:
   RegistrationRetryInterval: 10s
   StartupTimeout: 10s
   UILoginRateLimit: 1
+  UnprivilegedUser: pelican
 Director:
   DefaultResponse: cache
   CacheSortMethod: "distance"
diff --git a/daemon/launch.go b/daemon/launch.go
index 9096e34c3..349998185 100644
--- a/daemon/launch.go
+++ b/daemon/launch.go
@@ -26,6 +26,7 @@ type (
 	Launcher interface {
 		Name() string
 		Launch(ctx context.Context) (context.Context, int, error)
+		KillFunc() func(pid int, sig int) error
 	}
 
 	DaemonLauncher struct {
@@ -34,6 +35,7 @@ type (
 		Uid        int
 		Gid        int
 		ExtraEnv   []string
+		InheritFds []int
 	}
 )
 
diff --git a/daemon/launch_unix.go b/daemon/launch_unix.go
index fee01c518..abf01b9ac 100644
--- a/daemon/launch_unix.go
+++ b/daemon/launch_unix.go
@@ -42,10 +42,11 @@ import (
 
 type (
 	launchInfo struct {
-		ctx    context.Context
-		expiry time.Time
-		pid    int
-		name   string
+		ctx      context.Context
+		expiry   time.Time
+		pid      int
+		name     string
+		killFunc func(pid int, sig int) error
 	}
 )
 
@@ -150,6 +151,13 @@ func (launcher DaemonLauncher) Launch(ctx context.Context) (context.Context, int
 		cmd.Env = append(newEnv, launcher.ExtraEnv...)
 	}
 
+	if len(launcher.InheritFds) > 0 {
+		cmd.ExtraFiles = make([]*os.File, len(launcher.InheritFds))
+		for idx, fd := range launcher.InheritFds {
+			cmd.ExtraFiles[idx] = os.NewFile(uintptr(fd), "")
+		}
+	}
+
 	if err := cmd.Start(); err != nil {
 		return ctx, -1, err
 	}
@@ -162,6 +170,19 @@ func (launcher DaemonLauncher) Launch(ctx context.Context) (context.Context, int
 	return ctx_result, cmd.Process.Pid, nil
 }
 
+func (launcher DaemonLauncher) KillFunc() func(pid int, sig int) error {
+	return func(pid int, sig int) error {
+		process, err := os.FindProcess(pid)
+		if err != nil {
+			return errors.Wrapf(err, "unable to find PID %d", pid)
+		}
+		if err = process.Signal(syscall.Signal(sig)); err != nil {
+			return errors.Wrapf(err, "failed to send signal %d to process with pid %d", sig, pid)
+		}
+		return nil
+	}
+}
+
 func LaunchDaemons(ctx context.Context, launchers []Launcher, egrp *errgroup.Group) (pids []int, err error) {
 
 	daemons := make([]launchInfo, len(launchers))
@@ -180,6 +201,7 @@ func LaunchDaemons(ctx context.Context, launchers []Launcher, egrp *errgroup.Gro
 		daemons[idx].ctx = newCtx
 		daemons[idx].pid = pid
 		daemons[idx].name = daemon.Name()
+		daemons[idx].killFunc = daemon.KillFunc()
 		pids[idx] = pid
 		log.Infoln("Successfully launched", daemon.Name())
 		metrics.SetComponentHealthStatus(metrics.HealthStatusComponent(metricName), metrics.StatusOK, "")
@@ -211,7 +233,7 @@ func LaunchDaemons(ctx context.Context, launchers []Launcher, egrp *errgroup.Gro
 				log.Warnf("Forwarding signal %v to daemons\n", sys_sig)
 				var lastErr error
 				for idx, daemon := range daemons {
-					if err = syscall.Kill(daemon.pid, sys_sig); err != nil {
+					if err = daemon.killFunc(daemon.pid, int(sys_sig)); err != nil {
 						lastErr = errors.Wrapf(err, "Failed to forward signal to %s process", launchers[idx].Name())
 					}
 					daemon.expiry = time.Now().Add(10 * time.Second)
@@ -226,7 +248,7 @@ func LaunchDaemons(ctx context.Context, launchers []Launcher, egrp *errgroup.Gro
 				// Kill the daemon if it's still alive
 				exists := checkPIDExists(daemons[chosen].pid)
 				if exists {
-					if err = syscall.Kill(daemons[chosen].pid, syscall.SIGTERM); err != nil {
+					if err = daemons[chosen].killFunc(daemons[chosen].pid, int(syscall.SIGTERM)); err != nil {
 						err = errors.Wrapf(err, "Failed to kill %s with pid %d", daemons[chosen].name, daemons[chosen].pid)
 						log.Errorln(err)
 						return err
@@ -253,7 +275,7 @@ func LaunchDaemons(ctx context.Context, launchers []Launcher, egrp *errgroup.Gro
 				for idx, daemon := range daemons {
 					// Daemon is expired, clean up
 					if !daemon.expiry.IsZero() && time.Now().After(daemon.expiry) {
-						if err = syscall.Kill(daemon.pid, syscall.SIGKILL); err != nil {
+						if err = daemon.killFunc(daemon.pid, int(syscall.SIGKILL)); err != nil {
 							err = errors.Wrapf(err, "Failed to SIGKILL the %s process", launchers[idx].Name())
 							log.Errorln(err)
 							return err
diff --git a/daemon/launch_windows.go b/daemon/launch_windows.go
index fa31cd675..8ee8bdbaa 100644
--- a/daemon/launch_windows.go
+++ b/daemon/launch_windows.go
@@ -36,6 +36,12 @@ func (launcher DaemonLauncher) Launch(ctx context.Context) (context.Context, int
 	return context.Background(), -1, errors.New("launching daemons is not supported on Windows")
 }
 
+func (launcher DaemonLauncher) KillFunc() func(pid int, sig int) error {
+	return func(pid int, sig int) error {
+		return errors.New("killing daemons is not supported on Windows")
+	}
+}
+
 func ForwardCommandToLogger(ctx context.Context, daemonName string, cmdStdout io.ReadCloser, cmdStderr io.ReadCloser) {
 	return
 }
diff --git a/docs/parameters.yaml b/docs/parameters.yaml
index 508765cbf..ad812ed03 100644
--- a/docs/parameters.yaml
+++ b/docs/parameters.yaml
@@ -2193,6 +2193,21 @@ type: bool
 default: false
 components: ["cache", "director", "origin", "registry"]
 ---
+name: Server.DropPrivileges
+description: |+
+  If the server has been started with root privileges, drop down to an unprivileged user.
+type: bool
+default: false
+components: ["*"]
+---
+name: Server.UnprivilegedUser
+description: |+
+  The user to run as after dropping root privileges.
+  This is only relevant if `Server.DropPrivileges` is set to true
+type: string
+default: pelican
+components: ["*"]
+---
 ################################
 #   Issuer's Configurations    #
 ################################
diff --git a/images/Dockerfile b/images/Dockerfile
index c4b0765ec..4e16590ad 100644
--- a/images/Dockerfile
+++ b/images/Dockerfile
@@ -168,12 +168,17 @@ ENDRUN
 #################################################################
 FROM hub.opensciencegrid.org/osg-htc/software-base:${OSG_SERIES}-${BASE_OS}-${OSG_REPO} AS pelican-software-base
 ARG TARGETPLATFORM
+ARG PELICAN_USER=pelican
 
 WORKDIR /pelican
 
 RUN --mount=type=cache,id=dnf-${TARGETPLATFORM},target=/var/cache/dnf,sharing=locked <<ENDRUN
   set -eux
 
+  # Create pelican user and group
+  groupadd -g 10941 ${PELICAN_USER}
+  useradd -u 10941 -g 10941 -d / -s /sbin/nologin ${PELICAN_USER}
+
   # Throughout this build, we will have Docker's build process cache dnf's
   # cache directory, so that we can not include it in any final images and
   # also not incur the penalty of constantly re-pulling repo metadata.
diff --git a/launchers/droppriv_unix.go b/launchers/droppriv_unix.go
new file mode 100644
index 000000000..e33ba4c3e
--- /dev/null
+++ b/launchers/droppriv_unix.go
@@ -0,0 +1,57 @@
+//go:build !windows
+
+/***************************************************************
+ *
+ * Copyright (C) 2024, Pelican Project, Morgridge Institute for Research
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you
+ * may not use this file except in compliance with the License.  You may
+ * obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ ***************************************************************/
+
+package launchers
+
+import (
+	"syscall"
+
+	"github.com/pkg/errors"
+	log "github.com/sirupsen/logrus"
+
+	"github.com/pelicanplatform/pelican/config"
+	"github.com/pelicanplatform/pelican/param"
+)
+
+func dropPrivileges() (err error) {
+	log.Info("Dropping privileges to user ", param.Server_UnprivilegedUser.GetString())
+	var puser config.User
+	puser, err = config.GetPelicanUser()
+	if err != nil {
+		return
+	}
+	if puser.Uid == 0 {
+		err = errors.Errorf("unable to drop privileges to user (%s) with UID 0", puser.Username)
+		return
+	}
+	if puser.Gid == 0 {
+		err = errors.Errorf("unable to drop privileges to user (user %s, group %s) with GID 0", puser.Username, puser.Groupname)
+		return
+	}
+	if err = syscall.Setgid(puser.Gid); err != nil {
+		err = errors.Wrap(err, "failed to drop group privileges")
+		return
+	}
+	if err = syscall.Setuid(puser.Uid); err != nil {
+		err = errors.Wrap(err, "failed to drop user privileges")
+		return
+	}
+	return
+}
diff --git a/launchers/droppriv_windows.go b/launchers/droppriv_windows.go
new file mode 100644
index 000000000..99ddd999d
--- /dev/null
+++ b/launchers/droppriv_windows.go
@@ -0,0 +1,27 @@
+//go:build windows
+
+/***************************************************************
+ *
+ * Copyright (C) 2024, Pelican Project, Morgridge Institute for Research
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you
+ * may not use this file except in compliance with the License.  You may
+ * obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ ***************************************************************/
+
+package launchers
+
+import "github.com/pkg/errors"
+
+func dropPrivileges() (err error) {
+	return errors.New("dropping privileges is not supported on Windows")
+}
diff --git a/launchers/launcher.go b/launchers/launcher.go
index 521f8e096..6e1e67bcb 100644
--- a/launchers/launcher.go
+++ b/launchers/launcher.go
@@ -329,6 +329,13 @@ func LaunchModules(ctx context.Context, modules server_structs.ServerType) (serv
 		}
 	}
 
+	// Now that we've launched XRootD (which should drop their privileges to the xrootd user), we can drop our own
+	if config.IsRootExecution() && param.Server_DropPrivileges.GetBool() {
+		if err = dropPrivileges(); err != nil {
+			return
+		}
+	}
+
 	if modules.IsEnabled(server_structs.OriginType) || modules.IsEnabled(server_structs.CacheType) {
 		log.Debug("Launching periodic advertise of origin/cache server to the director")
 		if err = launcher_utils.LaunchPeriodicAdvertise(ctx, egrp, servers); err != nil {
diff --git a/param/parameters.go b/param/parameters.go
index f5fed486b..13fe5dbb9 100644
--- a/param/parameters.go
+++ b/param/parameters.go
@@ -262,6 +262,7 @@ var (
 	Server_TLSKey = StringParam{"Server.TLSKey"}
 	Server_UIActivationCodeFile = StringParam{"Server.UIActivationCodeFile"}
 	Server_UIPasswordFile = StringParam{"Server.UIPasswordFile"}
+	Server_UnprivilegedUser = StringParam{"Server.UnprivilegedUser"}
 	Server_WebConfigFile = StringParam{"Server.WebConfigFile"}
 	Server_WebHost = StringParam{"Server.WebHost"}
 	Shoveler_AMQPExchange = StringParam{"Shoveler.AMQPExchange"}
@@ -391,6 +392,7 @@ var (
 	Registry_RequireCacheApproval = BoolParam{"Registry.RequireCacheApproval"}
 	Registry_RequireKeyChaining = BoolParam{"Registry.RequireKeyChaining"}
 	Registry_RequireOriginApproval = BoolParam{"Registry.RequireOriginApproval"}
+	Server_DropPrivileges = BoolParam{"Server.DropPrivileges"}
 	Server_EnablePprof = BoolParam{"Server.EnablePprof"}
 	Server_EnableUI = BoolParam{"Server.EnableUI"}
 	Server_HealthMonitoringPublic = BoolParam{"Server.HealthMonitoringPublic"}
diff --git a/param/parameters_struct.go b/param/parameters_struct.go
index 242c9f8b8..c5b68732b 100644
--- a/param/parameters_struct.go
+++ b/param/parameters_struct.go
@@ -267,6 +267,7 @@ type Config struct {
 		RequireOriginApproval bool `mapstructure:"requireoriginapproval" yaml:"RequireOriginApproval"`
 	} `mapstructure:"registry" yaml:"Registry"`
 	Server struct {
+		DropPrivileges bool `mapstructure:"dropprivileges" yaml:"DropPrivileges"`
 		EnablePprof bool `mapstructure:"enablepprof" yaml:"EnablePprof"`
 		EnableUI bool `mapstructure:"enableui" yaml:"EnableUI"`
 		ExternalWebUrl string `mapstructure:"externalweburl" yaml:"ExternalWebUrl"`
@@ -290,6 +291,7 @@ type Config struct {
 		UIAdminUsers []string `mapstructure:"uiadminusers" yaml:"UIAdminUsers"`
 		UILoginRateLimit int `mapstructure:"uiloginratelimit" yaml:"UILoginRateLimit"`
 		UIPasswordFile string `mapstructure:"uipasswordfile" yaml:"UIPasswordFile"`
+		UnprivilegedUser string `mapstructure:"unprivilegeduser" yaml:"UnprivilegedUser"`
 		WebConfigFile string `mapstructure:"webconfigfile" yaml:"WebConfigFile"`
 		WebHost string `mapstructure:"webhost" yaml:"WebHost"`
 		WebPort int `mapstructure:"webport" yaml:"WebPort"`
@@ -595,6 +597,7 @@ type configWithType struct {
 		RequireOriginApproval struct { Type string; Value bool }
 	}
 	Server struct {
+		DropPrivileges struct { Type string; Value bool }
 		EnablePprof struct { Type string; Value bool }
 		EnableUI struct { Type string; Value bool }
 		ExternalWebUrl struct { Type string; Value string }
@@ -618,6 +621,7 @@ type configWithType struct {
 		UIAdminUsers struct { Type string; Value []string }
 		UILoginRateLimit struct { Type string; Value int }
 		UIPasswordFile struct { Type string; Value string }
+		UnprivilegedUser struct { Type string; Value string }
 		WebConfigFile struct { Type string; Value string }
 		WebHost struct { Type string; Value string }
 		WebPort struct { Type string; Value int }
diff --git a/xrootd/commsocket_default.go b/xrootd/commsocket_default.go
new file mode 100644
index 000000000..5f218451d
--- /dev/null
+++ b/xrootd/commsocket_default.go
@@ -0,0 +1,74 @@
+//go:build !windows
+
+/***************************************************************
+ *
+ * Copyright (C) 2024, Pelican Project, Morgridge Institute for Research
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you
+ * may not use this file except in compliance with the License.  You may
+ * obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ ***************************************************************/
+
+package xrootd
+
+import (
+	"os"
+	"syscall"
+)
+
+var (
+	g_origin_fds [2]int
+	g_cache_fds  [2]int
+)
+
+func init() {
+	g_origin_fds = [2]int{-1, -1}
+	g_cache_fds = [2]int{-1, -1}
+}
+
+// Set the global copy of the origin's communication FDs
+// To be used later for sending updated CAs and host certificates.
+func setOriginFds(fds [2]int) {
+	g_origin_fds = fds
+}
+
+// Set the global copy of the cache's communication FDs
+// To be used later for sending updated CAs and host certificates.
+func setCacheFds(fds [2]int) {
+	g_cache_fds = fds
+}
+
+// Send a provided file descriptor to a child xrootd process.
+// If the `origin` is true, it'll send the FD to origin;
+// otherwise, it'll send it to cache.
+// If the origin/cache FD is not set, it'll return nil.
+func sendChildFD(origin bool, cmd int, fp *os.File) error {
+	rights := syscall.UnixRights(int(fp.Fd()))
+	if origin {
+		if g_origin_fds[0] == -1 {
+			return nil
+		}
+		return syscall.Sendmsg(g_origin_fds[0], []byte{byte(cmd)}, rights, nil, 0)
+	}
+	if g_cache_fds[0] == -1 {
+		return nil
+	}
+	return syscall.Sendmsg(g_cache_fds[0], []byte{byte(cmd)}, rights, nil, 0)
+}
+
+// Close the child socket
+func closeChildSocket(origin bool) error {
+	if origin {
+		return syscall.Close(g_origin_fds[0])
+	}
+	return syscall.Close(g_cache_fds[0])
+}
diff --git a/xrootd/commsocket_windows.go b/xrootd/commsocket_windows.go
new file mode 100644
index 000000000..a9741627b
--- /dev/null
+++ b/xrootd/commsocket_windows.go
@@ -0,0 +1,43 @@
+//go:build windows
+
+/***************************************************************
+ *
+ * Copyright (C) 2024, Pelican Project, Morgridge Institute for Research
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you
+ * may not use this file except in compliance with the License.  You may
+ * obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ ***************************************************************/
+
+package xrootd
+
+import (
+	"os"
+
+	"github.com/pkg/errors"
+)
+
+// Set the origin's FDs; not implemented on Windows
+func setOriginFds([2]int) {}
+
+// Set the cache's FDs; not implemented on Windows
+func setCacheFds([2]int) {}
+
+// Send a provided file descriptor to a child xrootd process; not implemented on Windows
+func sendChildFD(bool, int, *os.File) error {
+	return errors.New("sendChildFD not implemented on Windows")
+}
+
+// Close the child socket; not implemented on Windows
+func closeChildSocket(origin bool) error {
+	return errors.New("closeChildSocket not implemented on Windows")
+}
diff --git a/xrootd/drop_privilege_test.go b/xrootd/drop_privilege_test.go
new file mode 100644
index 000000000..052053685
--- /dev/null
+++ b/xrootd/drop_privilege_test.go
@@ -0,0 +1,223 @@
+//go:build !windows
+
+/***************************************************************
+ *
+ * Copyright (C) 2024, Pelican Project, Morgridge Institute for Research
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you
+ * may not use this file except in compliance with the License.  You may
+ * obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ ***************************************************************/
+
+package xrootd
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"syscall"
+	"testing"
+
+	"github.com/spf13/viper"
+	"github.com/stretchr/testify/require"
+
+	"github.com/pelicanplatform/pelican/config"
+	"github.com/pelicanplatform/pelican/origin"
+	"github.com/pelicanplatform/pelican/server_utils"
+	"github.com/pelicanplatform/pelican/test_utils"
+)
+
+const (
+	CmdUpdateCA = 1
+)
+
+// isValidFD checks if a file descriptor is valid.
+func isValidFD(fd int) (bool, error) {
+	if fd < 0 {
+		return false, nil
+	}
+	var stat syscall.Stat_t
+	err := syscall.Fstat(fd, &stat)
+	if err != nil && err != syscall.EBADF {
+		return false, err
+	}
+	return true, err
+}
+
+func mockXRootDProcess(t *testing.T, fds [2]int, ready chan<- struct{}) {
+	t.Logf("Mock XRootD Process started. FDs: %v", fds)
+	close(ready) // Signal that mockXRootDProcess is ready
+
+	commandBuf := make([]byte, 1)
+
+	// Read the command byte sent by the another process
+	n, err := syscall.Read(fds[0], commandBuf)
+	if err != nil {
+		t.Errorf("Mock XRootD: Error receiving command: %v", err)
+		return
+	}
+	if n != 1 {
+		t.Errorf("Mock XRootD: Expected to read 1 command byte, but read: %d", n)
+		return
+	}
+
+	cmd := commandBuf[0]
+
+	switch cmd {
+	case byte(CmdUpdateCA):
+		t.Log("Mock XRootD: Received CmdUpdateCA")
+	default:
+		t.Errorf("Mock XRootD received unexpected command")
+		return
+	}
+}
+
+func startMockXrootdProcess(t *testing.T, isOrigin bool) (ready <-chan struct{}) {
+	readyChan := make(chan struct{})
+	ready = readyChan
+
+	var targetFds *[2]int
+	fds, err := syscall.Socketpair(syscall.AF_UNIX, syscall.SOCK_STREAM, 0)
+	require.NoError(t, err)
+	if isOrigin {
+		g_origin_fds = [2]int{fds[0], fds[1]}
+		targetFds = &g_origin_fds
+	} else {
+		g_cache_fds = [2]int{fds[0], fds[1]}
+		targetFds = &g_cache_fds
+	}
+
+	isValidFD, err := isValidFD(g_origin_fds[1])
+	require.True(t, isValidFD, "Write file descriptor is not valid (os.Stat err)")
+	require.NoError(t, err)
+
+	go mockXRootDProcess(t, *targetFds, readyChan)
+
+	return ready
+}
+
+// receiveFD reads the file descriptor from its global variable
+func receiveFD(isOrigin bool) (int, error) {
+	var readFD int
+
+	if isOrigin {
+		readFD = g_origin_fds[0]
+	} else {
+		readFD = g_cache_fds[0]
+	}
+
+	isValid, err := isValidFD(readFD)
+	if !isValid || err != nil {
+		return -1, fmt.Errorf("invalid FD: %d %w", readFD, err)
+	}
+
+	return readFD, nil
+}
+
+// generateTestCert generates a self-signed certificate and key for testing
+func generateTestCert(runDir string) (certPath, keyPath string, err error) {
+	// Create cert and key files
+	certPath = filepath.Join(runDir, "cert.pem")
+	keyPath = filepath.Join(runDir, "key.pem")
+
+	viper.Set("IssuerKey", keyPath)
+	viper.Set("Server.TLSCertificateChain", certPath)
+	viper.Set("Server.TLSKey", keyPath)
+	viper.Set("Server.TLSCACertificateFile", filepath.Join(runDir, "ca.pem"))
+	viper.Set("Server.TLSCAKey", filepath.Join(runDir, "ca-key.pem"))
+	viper.Set("Server.Hostname", "localhost")
+
+	err = config.GenerateCert() // GenerateCert uses the viper config set above
+
+	return certPath, keyPath, err
+}
+
+func TestDropPrivilegeSignaling(t *testing.T) {
+	server_utils.ResetTestState()
+	_, cancel, egrp := test_utils.TestContext(context.Background(), t)
+	t.Cleanup(func() {
+		cancel()
+		require.NoError(t, egrp.Wait())
+		server_utils.ResetTestState()
+	})
+
+	runDir := t.TempDir()
+	viper.Set("Origin.RunLocation", runDir)
+	viper.Set("Cache.RunLocation", runDir)
+	viper.Set("ConfigDir", runDir)
+	config.InitConfig()
+
+	pelicanDir := filepath.Join(runDir, "pelican")
+	err := os.Mkdir(pelicanDir, 0755)
+	require.NoError(t, err, "Failed to create pelican directory")
+
+	// Set the configuration parameters before calling any xrootd functions
+	certFile, keyFile, err := generateTestCert(runDir)
+	require.NoError(t, err, "Failed to generate test certificate")
+
+	require.NotEmpty(t, certFile, "Empty certificate file path")
+	require.NotEmpty(t, keyFile, "Empty key file path")
+
+	// Dummy CA bundle data
+	caBundleData := []byte("Test CA Bundle Content")
+	caBundleFile := filepath.Join(runDir, "ca-bundle.crt")
+	require.NoError(t, os.WriteFile(caBundleFile, caBundleData, 0644))
+
+	// Open the CA bundle file
+	caBundle, err := os.Open(caBundleFile)
+	require.NoError(t, err, "Failed to open CA bundle file")
+	defer caBundle.Close()
+
+	isOrigin := true
+	// Start mock XRootD (sets up the IPC)
+	ready := startMockXrootdProcess(t, isOrigin)
+	defer func() {
+		err := closeChildSocket(isOrigin)
+		require.NoError(t, err, "Failed to close child socket")
+	}()
+
+	// The ready channel signals to the test function that the mock XRootD process is ready to receive data (the command byte)
+	<-ready
+
+	viper.Set("Server.DropPrivileges", true)
+
+	// Send the command byte BEFORE calling dropPrivilegeCopy
+	command := []byte{byte(CmdUpdateCA)}
+
+	if isOrigin {
+		// Verify FD is valid before writing
+		isValidFD, err := isValidFD(g_origin_fds[1])
+		require.True(t, isValidFD, "Write file descriptor is not valid (os.Stat err)")
+		require.NoError(t, err)
+
+		t.Log("Global origin FDs: ", g_origin_fds)
+		t.Logf("Writing %x to fd %d", command, g_origin_fds[1])
+
+		n, err := syscall.Write(g_origin_fds[1], command)
+		require.NoError(t, err, "Failed to send command byte")
+		require.Equal(t, 1, n, "Expected to write 1 byte")
+	} else {
+		_, err = syscall.Write(g_cache_fds[1], command)
+		require.NoError(t, err, "Failed to send command byte")
+	}
+
+	// Call the function under test
+	t.Logf("Before dropPrivilegeCopy, g_origin_fds: %v", g_origin_fds)
+	err = dropPrivilegeCopy(&origin.OriginServer{})
+	require.NoError(t, err, "dropPrivilegeCopy failed")
+	t.Logf("After dropPrivilegeCopy, g_origin_fds: %v", g_origin_fds)
+
+	// Get the file descriptor sent by dropPrivilegeCopy
+	_, err = receiveFD(isOrigin)
+	require.NoError(t, err)
+}
diff --git a/xrootd/launch.go b/xrootd/launch.go
index 78416b438..6d5bd9fd0 100644
--- a/xrootd/launch.go
+++ b/xrootd/launch.go
@@ -23,10 +23,12 @@ package xrootd
 import (
 	"context"
 	_ "embed"
+	"encoding/binary"
 	"os"
 	"path/filepath"
 	"regexp"
 	"strconv"
+	"syscall"
 	"time"
 
 	"github.com/pkg/errors"
@@ -42,11 +44,13 @@ type (
 	PrivilegedXrootdLauncher struct {
 		daemonName string
 		configPath string
+		fds        [2]int
 	}
 
 	UnprivilegedXrootdLauncher struct {
 		daemon.DaemonLauncher
 		isCache bool
+		fds     [2]int
 	}
 )
 
@@ -54,6 +58,42 @@ func (launcher PrivilegedXrootdLauncher) Name() string {
 	return launcher.daemonName
 }
 
+func (launcher PrivilegedXrootdLauncher) KillFunc() func(pid int, sig int) error {
+	if param.Server_DropPrivileges.GetBool() {
+		return func(pid int, sig int) error {
+			buff := make([]byte, 5)
+			buff[0] = 0x03
+			binary.BigEndian.PutUint32(buff[1:], uint32(sig))
+			if err := syscall.Sendmsg(launcher.fds[1], buff, nil, nil, 0); err != nil {
+				return errors.Wrap(err, "failed to signal xrootd process")
+			}
+			return nil
+		}
+	} else {
+		return func(pid int, sig int) error {
+			return syscall.Kill(pid, syscall.Signal(sig))
+		}
+	}
+}
+
+func (launcher UnprivilegedXrootdLauncher) KillFunc() func(pid int, sig int) error {
+	if param.Server_DropPrivileges.GetBool() {
+		return func(pid int, sig int) error {
+			buff := make([]byte, 5)
+			buff[0] = 0x03
+			binary.BigEndian.PutUint32(buff[1:], uint32(sig))
+			if err := syscall.Sendmsg(launcher.fds[1], buff, nil, nil, 0); err != nil {
+				return errors.Wrap(err, "failed to signal xrootd process")
+			}
+			return nil
+		}
+	} else {
+		return func(pid int, sig int) error {
+			return syscall.Kill(pid, syscall.Signal(sig))
+		}
+	}
+}
+
 func makeUnprivilegedXrootdLauncher(daemonName string, configPath string, isCache bool) (result UnprivilegedXrootdLauncher, err error) {
 	result.DaemonName = daemonName + ".origin"
 	if isCache {
@@ -62,6 +102,15 @@ func makeUnprivilegedXrootdLauncher(daemonName string, configPath string, isCach
 	result.Uid = -1
 	result.Gid = -1
 	result.isCache = isCache
+	result.fds, err = syscall.Socketpair(syscall.AF_UNIX, syscall.SOCK_STREAM, 0)
+	if err != nil {
+		return
+	}
+	if isCache {
+		setCacheFds(result.fds)
+	} else {
+		setOriginFds(result.fds)
+	}
 	xrootdRun := param.Origin_RunLocation.GetString()
 	if isCache {
 		xrootdRun = param.Cache_RunLocation.GetString()
@@ -94,14 +143,32 @@ func makeUnprivilegedXrootdLauncher(daemonName string, configPath string, isCach
 		result.ExtraEnv = append(result.ExtraEnv, "XRD_PELICANFEDERATIONMETADATATIMEOUT="+param.Cache_DefaultCacheTimeout.GetDuration().String())
 		result.ExtraEnv = append(result.ExtraEnv, "XRD_PELICANDEFAULTHEADERTIMEOUT="+param.Cache_DefaultCacheTimeout.GetDuration().String())
 	}
+	if param.Server_DropPrivileges.GetBool() {
+		result.ExtraEnv = append(result.ExtraEnv, "XRDHTTP_PELICAN_CA_FILE="+filepath.Join(xrootdRun, "ca-bundle.crt"))
+		result.ExtraEnv = append(result.ExtraEnv, "XRDHTTP_PELICAN_CERT_FILE="+filepath.Join(xrootdRun, "copied-tls-creds.crt"))
+		result.ExtraEnv = append(result.ExtraEnv, "XRDHTTP_PELICAN_INFO_FD="+strconv.Itoa(result.fds[1]))
+	}
 	return
 }
 
 func ConfigureLaunchers(privileged bool, configPath string, useCMSD bool, enableCache bool) (launchers []daemon.Launcher, err error) {
 	if privileged {
-		launchers = append(launchers, PrivilegedXrootdLauncher{"xrootd", configPath})
+		fds, err := syscall.Socketpair(syscall.AF_UNIX, syscall.SOCK_STREAM, 0)
+		if err != nil {
+			return nil, errors.Wrap(err, "failed to create socket pair for xrootd")
+		}
+		launchers = append(launchers, PrivilegedXrootdLauncher{"xrootd", configPath, fds})
+		if enableCache {
+			setCacheFds(fds)
+		} else {
+			setOriginFds(fds)
+		}
 		if useCMSD {
-			launchers = append(launchers, PrivilegedXrootdLauncher{"cmsd", configPath})
+			cmsdFds, err := syscall.Socketpair(syscall.AF_UNIX, syscall.SOCK_STREAM, 0)
+			if err != nil {
+				return nil, errors.Wrap(err, "failed to create socket pair for xrootd")
+			}
+			launchers = append(launchers, PrivilegedXrootdLauncher{"cmsd", configPath, cmsdFds})
 		}
 	} else {
 		var result UnprivilegedXrootdLauncher
diff --git a/xrootd/launch_linux.go b/xrootd/launch_linux.go
index dc8613edd..d06edd685 100644
--- a/xrootd/launch_linux.go
+++ b/xrootd/launch_linux.go
@@ -90,10 +90,23 @@ func (plauncher PrivilegedXrootdLauncher) Launch(ctx context.Context) (context.C
 	if err != nil {
 		return ctx, -1, err
 	}
-	launcher := cap.NewLauncher(executable, []string{plauncher.Name(), "-f", "-s", pidFile, "-c", plauncher.configPath}, nil)
+
+	var env []string = nil
+	if plauncher.fds[1] != -1 {
+		env = []string{"XRDHTTP_PELICAN_INFO_FD=3"}
+	}
+
+	launcher := cap.NewLauncher(executable, []string{plauncher.Name(), "-f", "-s", pidFile, "-c", plauncher.configPath}, env)
 	launcher.Callback(func(attrs *syscall.ProcAttr, _ interface{}) error {
 		attrs.Files[1] = writeStdout.Fd()
 		attrs.Files[2] = writeStderr.Fd()
+		if plauncher.fds[1] != -1 {
+			if len(attrs.Files) < 3 {
+				attrs.Files = append(attrs.Files, uintptr(plauncher.fds[1]))
+			} else {
+				attrs.Files[3] = uintptr(plauncher.fds[1])
+			}
+		}
 		return nil
 	})
 	iab := cap.NewIAB()
diff --git a/xrootd/resources/xrootd-cache.cfg b/xrootd/resources/xrootd-cache.cfg
index 67b64cf12..a715148a1 100644
--- a/xrootd/resources/xrootd-cache.cfg
+++ b/xrootd/resources/xrootd-cache.cfg
@@ -32,6 +32,9 @@ http.header2cgi X-Pelican-Timeout pelican.timeout
 http.secxtractor /usr/lib64/libXrdVoms.so
 {{end}}
 http.staticpreload http://static/robots.txt {{.Xrootd.RobotsTxtFile}}
+{{if .Server.DropPrivileges}}
+http.exthandler xrdpelican libXrdHttpPelican.so
+{{end}}
 {{if .Xrootd.Sitename}}
 all.sitename {{.Xrootd.Sitename}}
 {{end}}
diff --git a/xrootd/resources/xrootd-origin.cfg b/xrootd/resources/xrootd-origin.cfg
index c6e2d1315..616fbed4f 100644
--- a/xrootd/resources/xrootd-origin.cfg
+++ b/xrootd/resources/xrootd-origin.cfg
@@ -112,6 +112,9 @@ xrootd.export /.well-known
 ofs.osslib libXrdMultiuser.so default
 ofs.ckslib * libXrdMultiuser.so
 {{end}}
+{{if .Server.DropPrivileges}}
+http.exthandler xrdpelican libXrdHttpPelican.so
+{{end}}
 xrootd.fslib ++ throttle  # throttle plugin is needed to calculate server IO load
 xrootd.chksum max 2 md5 adler32 crc32
 xrootd.trace {{.Logging.OriginXrootd}}
diff --git a/xrootd/xrootd_config.go b/xrootd/xrootd_config.go
index 9203a77ff..4ab7b466c 100644
--- a/xrootd/xrootd_config.go
+++ b/xrootd/xrootd_config.go
@@ -159,6 +159,7 @@ type (
 		TLSKey                    string
 		TLSCACertificateDirectory string
 		TLSCACertificateFile      string
+		DropPrivileges            bool
 	}
 
 	LoggingConfig struct {
@@ -476,7 +477,7 @@ func CheckXrootdEnv(server server_structs.XRootDServer) error {
 		}
 	}
 
-	if err = CopyXrootdCertificates(server); err != nil {
+	if err = copyXrootdCertificates(server); err != nil {
 		return err
 	}
 
@@ -542,12 +543,40 @@ func CheckXrootdEnv(server server_structs.XRootDServer) error {
 	return nil
 }
 
+func writeX509Credentials(fp *os.File) error {
+	srcFile, err := os.Open(param.Server_TLSCertificateChain.GetString())
+	if err != nil {
+		return errors.Wrap(err, "Failure when opening source certificate for xrootd")
+	}
+	defer srcFile.Close()
+
+	if _, err = io.Copy(fp, srcFile); err != nil {
+		return errors.Wrapf(err, "Failure when copying source certificate for xrootd")
+	}
+
+	if _, err = fp.Write([]byte{'\n', '\n'}); err != nil {
+		return errors.Wrap(err, "Failure when writing into copied key pair for xrootd")
+	}
+
+	srcKeyFile, err := os.Open(param.Server_TLSKey.GetString())
+	if err != nil {
+		return errors.Wrap(err, "Failure when opening source key for xrootd")
+	}
+	defer srcKeyFile.Close()
+
+	if _, err = io.Copy(fp, srcKeyFile); err != nil {
+		return errors.Wrapf(err, "Failure when copying source key for xrootd")
+	}
+
+	return nil
+}
+
 // Copies the server certificate/key files into the XRootD runtime
 // directory.  Combines the two files into a single one so the new
 // certificate shows up atomically from XRootD's perspective.
 // Adjusts the ownership and mode to match that expected
 // by the XRootD framework.
-func CopyXrootdCertificates(server server_structs.XRootDServer) error {
+func copyXrootdCertificates(server server_structs.XRootDServer) error {
 	user, err := config.GetDaemonUserInfo()
 	if err != nil {
 		return errors.Wrap(err, "Unable to copy certificates to xrootd runtime directory; failed xrootd user lookup")
@@ -574,32 +603,54 @@ func CopyXrootdCertificates(server server_structs.XRootDServer) error {
 		return errors.Wrap(err, "Failure when chown'ing certificate key pair file for xrootd")
 	}
 
-	srcFile, err := os.Open(param.Server_TLSCertificateChain.GetString())
-	if err != nil {
-		return errors.Wrap(err, "Failure when opening source certificate for xrootd")
+	if err = writeX509Credentials(destFile); err != nil {
+		return err
 	}
-	defer srcFile.Close()
 
-	if _, err = io.Copy(destFile, srcFile); err != nil {
-		return errors.Wrapf(err, "Failure when copying source certificate for xrootd")
+	if err = os.Rename(tmpName, destination); err != nil {
+		return errors.Wrapf(err, "Failure when moving key pair for xrootd")
 	}
 
-	if _, err = destFile.Write([]byte{'\n', '\n'}); err != nil {
-		return errors.Wrap(err, "Failure when writing into copied key pair for xrootd")
+	return nil
+}
+
+// After privileges have been dropped, copy the server certificates
+// to the xrootd process.
+func dropPrivilegeCopy(server server_structs.XRootDServer) error {
+
+	certFile := param.Server_TLSCertificateChain.GetString()
+	certKey := param.Server_TLSKey.GetString()
+	if _, err := tls.LoadX509KeyPair(certFile, certKey); err != nil {
+		return builtin_errors.Join(err, errBadKeyPair)
 	}
 
-	srcKeyFile, err := os.Open(param.Server_TLSKey.GetString())
+	destination := filepath.Join(param.Origin_RunLocation.GetString(), "pelican")
+	if server.GetServerType().IsEnabled(server_structs.CacheType) {
+		destination = filepath.Join(param.Cache_RunLocation.GetString(), "pelican")
+	}
+	destination = filepath.Join(destination, "copied-tls-creds.crt")
+	destFile, err := os.OpenFile(destination, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, fs.FileMode(0400))
 	if err != nil {
-		return errors.Wrap(err, "Failure when opening source key for xrootd")
+		return errors.Wrap(err, "Failure when opening certificate key pair file to pass to xrootd")
 	}
-	defer srcKeyFile.Close()
+	defer destFile.Close()
 
-	if _, err = io.Copy(destFile, srcKeyFile); err != nil {
-		return errors.Wrapf(err, "Failure when copying source key for xrootd")
+	if err = writeX509Credentials(destFile); err != nil {
+		return err
 	}
 
-	if err = os.Rename(tmpName, destination); err != nil {
-		return errors.Wrapf(err, "Failure when moving key pair for xrootd")
+	for idx := 0; idx < 2; idx++ {
+		rdDestFile, err := os.OpenFile(destination, os.O_RDONLY, fs.FileMode(0400))
+		if err != nil {
+			return errors.Wrap(err, "Failed to re-open the copied certificate key pair file as read-only")
+		}
+		isOrigin := true
+		if idx == 1 {
+			isOrigin = false
+		}
+		if err = sendChildFD(isOrigin, 2, rdDestFile); err != nil {
+			return errors.Wrap(err, "Failed to send the copied certificate key pair file to xrootd")
+		}
 	}
 
 	return nil
@@ -618,7 +669,12 @@ func LaunchXrootdMaintenance(ctx context.Context, server server_structs.XRootDSe
 		"xrootd maintenance",
 		sleepTime,
 		func(notifyEvent bool) error {
-			err := CopyXrootdCertificates(server)
+			var err error
+			if param.Server_DropPrivileges.GetBool() {
+				err = dropPrivilegeCopy(server)
+			} else {
+				err = copyXrootdCertificates(server)
+			}
 			if notifyEvent && errors.Is(err, errBadKeyPair) {
 				log.Debugln("Bad keypair encountered when doing xrootd certificate maintenance:", err)
 				return nil
@@ -828,10 +884,25 @@ func ConfigXrootd(ctx context.Context, isOrigin bool) (string, error) {
 		return "", err
 	}
 
-	runtimeCAs := filepath.Join(param.Origin_RunLocation.GetString(), "ca-bundle.crt")
+	// Set up the runtime CA bundle
+	runtimeCAs := filepath.Join(param.Origin_RunLocation.GetString())
 	if !isOrigin {
-		runtimeCAs = filepath.Join(param.Cache_RunLocation.GetString(), "ca-bundle.crt")
+		runtimeCAs = filepath.Join(param.Cache_RunLocation.GetString())
+	}
+	// If we plan to drop privileges, we'll write the CA bundle to a location that is owned
+	// by the pelican daemon.  Since it's going to be marked as world-readable, we don't need
+	// to periodically update it as the xrootd user like we do for the host key.
+	if param.Server_DropPrivileges.GetBool() {
+		runtimeCAs = filepath.Join(runtimeCAs, "pelican")
+		puser, err := config.GetPelicanUser()
+		if err != nil {
+			return "", err
+		}
+		if err = config.MkdirAll(runtimeCAs, 0755, puser.Uid, puser.Gid); err != nil {
+			return "", errors.Wrapf(err, "Unable to create runtime directory %v", runtimeCAs)
+		}
 	}
+	runtimeCAs = filepath.Join(runtimeCAs, "ca-bundle.crt")
 	egrpKey := string(config.EgrpKey)
 	caCount, err := utils.LaunchPeriodicWriteCABundle(ctx, egrpKey, runtimeCAs, 2*time.Minute)
 	if err != nil {
diff --git a/xrootd/xrootd_config_test.go b/xrootd/xrootd_config_test.go
index 7055242f6..667f606b3 100644
--- a/xrootd/xrootd_config_test.go
+++ b/xrootd/xrootd_config_test.go
@@ -412,14 +412,14 @@ func TestCopyCertificates(t *testing.T) {
 	config.InitConfig()
 
 	// First, invoke CopyXrootdCertificates directly, ensure it works.
-	err := CopyXrootdCertificates(&origin.OriginServer{})
+	err := copyXrootdCertificates(&origin.OriginServer{})
 	assert.ErrorIs(t, err, errBadKeyPair)
 
 	err = config.InitServer(ctx, server_structs.OriginType)
 	require.NoError(t, err)
 	err = config.MkdirAll(path.Dir(param.Xrootd_Authfile.GetString()), 0755, -1, -1)
 	require.NoError(t, err)
-	err = CopyXrootdCertificates(&origin.OriginServer{})
+	err = copyXrootdCertificates(&origin.OriginServer{})
 	require.NoError(t, err)
 	destKeyPairName := filepath.Join(param.Origin_RunLocation.GetString(), "copied-tls-creds.crt")
 	assert.FileExists(t, destKeyPairName)
@@ -439,7 +439,7 @@ func TestCopyCertificates(t *testing.T) {
 	err = os.Rename(certName, certName+".orig")
 	require.NoError(t, err)
 
-	err = CopyXrootdCertificates(&origin.OriginServer{})
+	err = copyXrootdCertificates(&origin.OriginServer{})
 	assert.ErrorIs(t, err, errBadKeyPair)
 
 	err = os.Rename(keyName, keyName+".orig")
@@ -448,7 +448,7 @@ func TestCopyCertificates(t *testing.T) {
 	err = config.InitServer(ctx, server_structs.OriginType)
 	require.NoError(t, err)
 
-	err = CopyXrootdCertificates(&origin.OriginServer{})
+	err = copyXrootdCertificates(&origin.OriginServer{})
 	require.NoError(t, err)
 
 	secondKeyPairContents, err := os.ReadFile(destKeyPairName)