diff --git a/sbin/hastd/primary.c b/sbin/hastd/primary.c
index e22ef828f63a..d701d8efb9b4 100644
--- a/sbin/hastd/primary.c
+++ b/sbin/hastd/primary.c
@@ -847,6 +847,11 @@ hastd_primary(struct hast_resource *res)
 	init_ggate(res);
 	init_environment(res);
 
+	if (drop_privs() != 0) {
+		cleanup(res);
+		exit(EX_CONFIG);
+	}
+
 	/*
 	 * Create the guard thread first, so we can handle signals from the
 	 * very begining.
diff --git a/sbin/hastd/secondary.c b/sbin/hastd/secondary.c
index 821d5c7450b2..21b54be9febd 100644
--- a/sbin/hastd/secondary.c
+++ b/sbin/hastd/secondary.c
@@ -413,6 +413,9 @@ hastd_secondary(struct hast_resource *res, struct nv *nvin)
 	init_local(res);
 	init_environment();
 
+	if (drop_privs() != 0)
+		exit(EX_CONFIG);
+
 	/*
 	 * Create the control thread before sending any event to the parent,
 	 * as we can deadlock when parent sends control request to worker,