Re: hastd not working, getgroups failure, COMPAT_FREEBSD14 enabled SUCCESS

Tue, 26 Aug 2025 15:51:08 -0700 

On 8/26/25 17:18, S. Ross Gohlke wrote:


On 8/26/25 15:32, Kyle Evans wrote:

On 8/26/25 15:05, S. Ross Gohlke wrote:

I tried running the latest PRERELEASE snapshot obtained from 
<https://download.freebsd.org/snapshots/amd64/15.0-PRERELEASE/>, published on 
Aug. 22.

The hastd rc service starts but "hastctl status" fails with the following error 
message:
[CRIT] Assertion failed: (getgroups(0, NULL) == 1), function drop_privs, file 
/usr/src/sbin/hastd/subr.c, line 287.

I have followed the "UPDATING stuff" thread on this list about 14 compatibility, and my 
understanding is that getgroups syscalls should work as long as the kernel has "options 
COMPAT_FREEBSD14" enabled.

I am running a custom kernel, but it is based on MINIMAL, so "options 
COMPAT_FREEBSD14" is enabled.

% sysctl kern.conftxt | grep COMPAT_FREEBSD14
options    COMPAT_FREEBSD14

Am I doing something wrong? Might this be fixed in the next snapshot (due 
Thursday)?



Bah; I had adjusted the assertions, but overlooked one that doesn't make sense. 
 The last
two could probably be coalesced, but it's probably worth being sure that we 
don't still
return one gid if room was created for whatever reason.  Try this:

diff --git a/sbin/hastd/subr.c b/sbin/hastd/subr.c
index 284fb0d07647..add1280e960b 100644
--- a/sbin/hastd/subr.c
+++ b/sbin/hastd/subr.c
@@ -284,7 +284,7 @@ drop_privs(const struct hast_resource *res)
        PJDLOG_VERIFY(rgid == pw->pw_gid);
        PJDLOG_VERIFY(egid == pw->pw_gid);
        PJDLOG_VERIFY(sgid == pw->pw_gid);
-       PJDLOG_VERIFY(getgroups(0, NULL) == 1);
+       PJDLOG_VERIFY(getgroups(0, NULL) == 0);
        PJDLOG_VERIFY(getgroups(1, gidset) == 0);

        pjdlog_debug(1,


I patched /usr/src/sbin/hastd/subr.c (just edited the file) and rebuilt hastctl 
and now it works. I did not have to rebuild hastd.



I don't really know enough about hastd here- it does have a few calls to 
drop_privs(), but I guess it
may take a bit more to trip over that.  Knowing that hastctl is fixed is enough 
to proceed with more
confidence here -- committed as 0d843cc2e2a3 (and this week's snapshot builds 
won't start for another
~day).  Thanks for the report!


# nano /usr/src/sbin/hastd/subr.c

<change the line>

# cd /usr/src/sbin/hastctl

# make -j8

# ./hastctl status

Gives proper output and no error.


Thanks for the help and prompt response,

Ross

























					Reply via email to