HardendedBSD Issue 32 - hbsd-update rewrite BEADM

3 views
Skip to first unread message

Ron Georgia

unread,
Feb 16, 2026, 9:58:07 PM (6 days ago) Feb 16
to HardenedBSD Users, netv...@gmail.com
All,

Under the check_sanity function the following is present

    # FreeBSD / HardenedBSD 12 introduced bectl in base. bectl
    # provides a beadm-compatible utility for managing ZFS Boot
    # Environments (BEs). Since the majority of HardenedBSD users
    # are on 11-STABLE, prefer beadm over bectl. Hopefully, bectl
    # will one day exist on 11-STABLE.
    #
    # -b BEname       Install updates to ZFS Boot Environment <BEname>
    # Default: BEADM="/usr/local/sbin/beadm"
    if [ ! -z "${zfsbe}" ] && [ ! -x ${BEADM} ]; then
        if [ -x /sbin/bectl ]; then
            BEADM=/sbin/bectl
        else
            debug_print "[-] Please install sysutils/beadm"
            exit 1
        fi
    fi

BEADM defaults to /usr/local/sbin/beadm, if that's not present and -b
flag is present check for /sbin/bectl. If that exists assign /sbin/bectl
to BEADM. Should I keep this "as is" for backward compat or reverse the
logic, making /sbin/bectl the default with a check for
/usr/local/sbin/beadm if /sbin/bectl is missing? Right now the flua code
looks like this:

function system_vars.system_cmd()

    if config.file_exists("/usr/local/sbin/beadm") then
        beadm_path = "/usr/local/sbin/beadm"
    else
        beadm_path = "/sbin/bectl"
    end

    local sys_cmd = {
        ["AWK"] = "/usr/bin/awk",
        ["BEADM"] = beadm_path
        <snip>,
    }
    return sys_cmd
end

--
”There is a scratch in the prism of my understanding.”

Shawn Webb

unread,
Feb 17, 2026, 11:20:45 AM (5 days ago) Feb 17
to Ron Georgia, HardenedBSD Users
Since bectl has existed in base for years now (it didn't back when
beadm was integrated into hbsd-udpate), we can probably remove support
for beadm, relying only on bectl. (If anyone uses beadm instead of
bectl, please do speak up.)

Thanks,

--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

Signal Username: shawn_webb.74
Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
signature.asc
Reply all
Reply to author
Forward
0 new messages