daos-stack · janekmi · Dec 2, 2025 · Dec 3, 2025 · Dec 9, 2025 · Dec 10, 2025
diff --git a/src/engine/init.c b/src/engine/init.c
@@ -1,8 +1,7 @@
 /*
  * (C) Copyright 2016-2024 Intel Corporation.
- * (C) Copyright 2025 Hewlett Packard Enterprise Development LP
+ * (C) Copyright 2025-2026 Hewlett Packard Enterprise Development LP
  * (C) Copyright 2025 Google LLC
- * (C) Copyright 2025 Hewlett Packard Enterprise Development LP
  *
  * SPDX-License-Identifier: BSD-2-Clause-Patent
  */
@@ -24,6 +23,7 @@
 
 #include <daos/btree_class.h>
 #include <daos/common.h>
+#include <daos/mgmt.h>
 #include <daos/placement.h>
 #include <daos/tls.h>
 #include "srv_internal.h"

diff --git a/src/include/daos/common.h b/src/include/daos/common.h
@@ -937,12 +937,17 @@ enum {
 #define DAOS_MEM_FAIL_CHECKPOINT	(DAOS_FAIL_UNIT_TEST_GROUP_LOC | 0x102)
 
 /** DLCK fault injection */
-#define DLCK_FAULT_CREATE_LOG_DIR         (DAOS_FAIL_SYS_TEST_GROUP_LOC | 0x100)
-#define DLCK_FAULT_CREATE_POOL_DIR        (DAOS_FAIL_SYS_TEST_GROUP_LOC | 0x101)
-#define DLCK_FAULT_ENGINE_START           (DAOS_FAIL_SYS_TEST_GROUP_LOC | 0x102)
-#define DLCK_FAULT_ENGINE_EXEC            (DAOS_FAIL_SYS_TEST_GROUP_LOC | 0x103)
-#define DLCK_FAULT_ENGINE_JOIN            (DAOS_FAIL_SYS_TEST_GROUP_LOC | 0x104)
-#define DLCK_FAULT_ENGINE_STOP            (DAOS_FAIL_SYS_TEST_GROUP_LOC | 0x105)
+#define DLCK_MOCK_ROOT                     (DAOS_FAIL_SYS_TEST_GROUP_LOC | 0x100)
+#define DLCK_FAULT_GETGRNAM                (DAOS_FAIL_SYS_TEST_GROUP_LOC | 0x101)
+#define DLCK_MOCK_NO_DAOS_SERVER_GROUP     (DAOS_FAIL_SYS_TEST_GROUP_LOC | 0x102)
+#define DLCK_FAULT_GETGROUPS               (DAOS_FAIL_SYS_TEST_GROUP_LOC | 0x103)
+#define DLCK_MOCK_NOT_IN_DAOS_SERVER_GROUP (DAOS_FAIL_SYS_TEST_GROUP_LOC | 0x104)
+#define DLCK_FAULT_CREATE_LOG_DIR          (DAOS_FAIL_SYS_TEST_GROUP_LOC | 0x105)
+#define DLCK_FAULT_CREATE_POOL_DIR         (DAOS_FAIL_SYS_TEST_GROUP_LOC | 0x106)
+#define DLCK_FAULT_ENGINE_START            (DAOS_FAIL_SYS_TEST_GROUP_LOC | 0x107)
+#define DLCK_FAULT_ENGINE_EXEC             (DAOS_FAIL_SYS_TEST_GROUP_LOC | 0x108)
+#define DLCK_FAULT_ENGINE_JOIN             (DAOS_FAIL_SYS_TEST_GROUP_LOC | 0x109)
+#define DLCK_FAULT_ENGINE_STOP             (DAOS_FAIL_SYS_TEST_GROUP_LOC | 0x10a)
 
 /** Pool open fault injection */
 #define DAOS_FAULT_POOL_NVME_HEALTH       (DAOS_FAIL_SYS_TEST_GROUP_LOC | 0x200)

diff --git a/src/include/daos/mgmt.h b/src/include/daos/mgmt.h
@@ -1,6 +1,6 @@
 /**
  * (C) Copyright 2016-2024 Intel Corporation.
- * (C) Copyright 2025 Hewlett Packard Enterprise Development LP
+ * (C) Copyright 2025-2026 Hewlett Packard Enterprise Development LP
  *
  * SPDX-License-Identifier: BSD-2-Clause-Patent
  */
@@ -18,6 +18,8 @@
 #include <daos/pool.h>
 #include "svc.pb-c.h"
 
+#define DAOS_DEFAULT_SYS_NAME "daos_server"
+
 extern bool d_dynamic_ctx_g;
 
 int dc_mgmt_init(void);

diff --git a/src/include/daos/rpc.h b/src/include/daos/rpc.h
@@ -1,6 +1,6 @@
 /*
  * (C) Copyright 2016-2024 Intel Corporation.
- * (C) Copyright 2025 Hewlett Packard Enterprise Development LP
+ * (C) Copyright 2025-2026 Hewlett Packard Enterprise Development LP
  *
  * SPDX-License-Identifier: BSD-2-Clause-Patent
  */
@@ -311,8 +311,6 @@ int daos_rpc_send(crt_rpc_t *rpc, tse_task_t *task);
 int daos_rpc_complete(crt_rpc_t *rpc, tse_task_t *task);
 int daos_rpc_send_wait(crt_rpc_t *rpc);
 
-#define DAOS_DEFAULT_SYS_NAME "daos_server"
-
 /* Currently, this is used on rcs in metadata RPC reply buffers. */
 static inline bool
 daos_rpc_retryable_rc(int rc)

diff --git a/src/utils/dlck/dlck_main.c b/src/utils/dlck/dlck_main.c
@@ -1,23 +1,134 @@
 /**
- * (C) Copyright 2025 Hewlett Packard Enterprise Development LP
+ * (C) Copyright 2025-2026 Hewlett Packard Enterprise Development LP
  *
  * SPDX-License-Identifier: BSD-2-Clause-Patent
  */
 #define D_LOGFAC DD_FAC(dlck)
 
 #include <stdlib.h>
 #include <stdio.h>
+#include <sys/types.h>
+#include <grp.h>
 #include <abt.h>
 
 #include <daos_errno.h>
 #include <daos/debug.h>
+#include <daos/mgmt.h>
 #include <daos_srv/daos_engine.h>
 #include <gurt/common.h>
 
 #include "dlck_args.h"
 #include "dlck_checker.h"
 #include "dlck_cmds.h"
 
+#define EFFECTIVE_USER_STR      "Effective user: "
+#define USER_BELONGS_TO_GRP_FMT "User %sbelong%s to group: %s (gid=%" PRIuMAX ")\n"
+#define UNEXPECTED_USER_WARNING_MSG                                                                \
+	"\nWARNING: It is recommended to run this program as root or as a user who belongs to "    \
+	"the '" DAOS_DEFAULT_SYS_NAME "' group.\n"                                                 \
+	"Running it under any other account may cause the program to stop due to insufficient "    \
+	"privileges.\n\n"
+
+static bool
+user_is_root(struct checker *ck)
+{
+	uid_t euid = geteuid();
+
+	if (DAOS_FAIL_CHECK(DLCK_MOCK_ROOT)) { /** fault injection */
+		/** it does not have ANY effect on the actual privileges of the user */
+		euid = 0;
+	}
+
+	if (euid == 0) {
+		/** The root user is not always named "root" but its uid is always 0. */
+		CK_PRINT(ck, EFFECTIVE_USER_STR "root\n");
+		return true;
+	}
+
+	CK_PRINTF(ck, EFFECTIVE_USER_STR "uid=%" PRIuMAX "\n", (uintmax_t)euid);
+	return false;
+}
+
+#define MAX_GROUPS 128
+
+static bool
+user_belongs_to_group(const char *group_name, struct checker *ck)
+{
+	struct group *group = NULL;
+	gid_t         group_id;
+	gid_t         groups[MAX_GROUPS];
+	int           rc;
+
+	/** get GID of the requested group */
+	if (DAOS_FAIL_CHECK(DLCK_FAULT_GETGRNAM)) { /** fault injection */
+		errno = daos_fail_value_get();
+	} else if (DAOS_FAIL_CHECK(DLCK_MOCK_NO_DAOS_SERVER_GROUP)) { /** fault injection */
+		errno = 0;
+	} else {
+		errno = 0;
+		group = getgrnam(group_name);
+	}
+	if (group == NULL) {
+		if (errno != 0) {
+			rc = daos_errno2der(errno);
+			CK_PRINTFL_RC(ck, rc, "getgrnam(%s) failed", group_name);
+		} else {
+			CK_PRINTF(ck, "The %s group does not exist.\n", group_name);
+		}
+		return false;
+	}
+	group_id = group->gr_gid;
+
+	/** check primary group */
+	if (getgid() == group_id) {
+		CK_PRINTF(ck, USER_BELONGS_TO_GRP_FMT, "", "s", group_name, (uintmax_t)group_id);
+		return true;
+	}
+
+	/** get supplementary groups */
+	if (DAOS_FAIL_CHECK(DLCK_FAULT_GETGROUPS)) { /** fault injection */
+		rc    = -1;
+		errno = daos_fail_value_get();
+	} else {
+		rc = getgroups(MAX_GROUPS, groups);
+	}
+	if (rc < 0) {
+		rc = daos_errno2der(errno);
+		CK_PRINTFL_RC(ck, rc, "getgroups() failed", group_name);
+		return false;
+	}
+
+	/** check supplementary groups */
+	if (!DAOS_FAIL_CHECK(DLCK_MOCK_NOT_IN_DAOS_SERVER_GROUP)) { /** fault injection */
+		for (int i = 0; i < rc; i++) {
+			if (groups[i] == group_id) {
+				CK_PRINTF(ck, USER_BELONGS_TO_GRP_FMT, "", "s", group_name,
+					  (uintmax_t)group_id);
+				return true;
+			}
+		}
+	}
+
+	CK_PRINTF(ck, USER_BELONGS_TO_GRP_FMT, "DOES NOT ", "", group_name, (uintmax_t)group_id);
+
+	return false;
+}
+
+static void
+check_user_privileges(struct checker *ck)
+{
+	if (user_is_root(ck)) {
+		/** the root user is assumed to have all required privileges */
+		return;
+	}
+
+	if (user_belongs_to_group(DAOS_DEFAULT_SYS_NAME, ck)) {
+		return;
+	}
+
+	CK_PRINT(ck, UNEXPECTED_USER_WARNING_MSG);
+}
+
 int
 main(int argc, char *argv[])
 {
@@ -55,6 +166,8 @@ main(int argc, char *argv[])
 		goto err_abt_fini;
 	}
 
+	check_user_privileges(&ctrl.checker);
+
 	rc = dlck_cmd_check(&ctrl);
 	if (rc != DER_SUCCESS) {
 		goto err_print_main_fini;

diff --git a/src/utils/dlck/tests/fault_injection_dlck.yaml b/src/utils/dlck/tests/fault_injection_dlck.yaml
@@ -1,12 +1,16 @@
 # Uncomment a fault you would like to trigger
-# yamllint disable rule:comments-indentation
 fault_config:
-  # - id: 131328 # DLCK_FAULT_CREATE_LOG_DIR
-  # - id: 131329 # DLCK_FAULT_CREATE_POOL_DIR
-  # - id: 131330 # DLCK_FAULT_ENGINE_START
-  # - id: 131331 # DLCK_FAULT_ENGINE_EXEC
-  # - id: 131332 # DLCK_FAULT_ENGINE_JOIN
-  # - id: 131333 # DLCK_FAULT_ENGINE_STOP
+  # - id: 131328 # DLCK_MOCK_ROOT
+  # - id: 131329 # DLCK_FAULT_GETGRNAM
+  # - id: 131330 # DLCK_MOCK_NO_DAOS_SERVER_GROUP
+  # - id: 131331 # DLCK_FAULT_GETGROUPS
+  # - id: 131332 # DLCK_MOCK_NOT_IN_DAOS_SERVER_GROUP
+  # - id: 131333 # DLCK_FAULT_CREATE_LOG_DIR
+  # - id: 131334 # DLCK_FAULT_CREATE_POOL_DIR
+  # - id: 131335 # DLCK_FAULT_ENGINE_START
+  # - id: 131336 # DLCK_FAULT_ENGINE_EXEC
+  # - id: 131337 # DLCK_FAULT_ENGINE_JOIN
+  # - id: 131338 # DLCK_FAULT_ENGINE_STOP
   # - id: 131584 # DAOS_FAULT_POOL_NVME_HEALTH
   #   interval: 2 # skip sys_db
   # - id: 131585 # DAOS_FAULT_POOL_OPEN_BIO