wolfSSL · yosuke-wolfssl · Jun 26, 2026
diff --git a/apps/wolfsshd/wolfsshd.c b/apps/wolfsshd/wolfsshd.c
@@ -595,12 +595,10 @@ static int SCP_Subsystem(WOLFSSHD_CONNECTION* conn, WOLFSSH* ssh,
     if (wolfSSHD_AuthReducePermissionsUser(conn->auth, pPasswd->pw_uid,
             pPasswd->pw_gid) != WS_SUCCESS) {
         wolfSSH_Log(WS_LOG_ERROR, "[SSHD] Error setting user ID");
-        if (wolfSSHD_AuthReducePermissions(conn->auth) != WS_SUCCESS) {
-            /* stop everything if not able to reduce permissions level */
-            exit(1);
-        }
-
-        return WS_FATAL_ERROR;
+        /* could not drop to the authenticated user; terminate the
+         * per-connection process rather than continue at a higher
+         * privilege level */
+        exit(1);
     }
 #else
     /* impersonate the logged on user for file permissions */
@@ -714,12 +712,10 @@ static int SFTP_Subsystem(WOLFSSHD_CONNECTION* conn, WOLFSSH* ssh,
     if (wolfSSHD_AuthReducePermissionsUser(conn->auth, pPasswd->pw_uid,
             pPasswd->pw_gid) != WS_SUCCESS) {
         wolfSSH_Log(WS_LOG_ERROR, "[SSHD] Error setting user ID");
-        if (wolfSSHD_AuthReducePermissions(conn->auth) != WS_SUCCESS) {
-            /* stop everything if not able to reduce permissions level */
-            exit(1);
-        }
-
-        return WS_FATAL_ERROR;
+        /* could not drop to the authenticated user; terminate the
+         * per-connection process rather than continue at a higher
+         * privilege level */
+        exit(1);
     }
 #else
     char r[MAX_PATH];
@@ -1424,77 +1420,60 @@ static int SHELL_Subsystem(WOLFSSHD_CONNECTION* conn, WOLFSSH* ssh,
             if (dup2(stdinPipe[0], STDIN_FILENO) == -1) {
                 wolfSSH_Log(WS_LOG_ERROR,
                     "[SSHD] Error redirecting stdin pipe");
-                if (wolfSSHD_AuthReducePermissions(conn->auth) != WS_SUCCESS) {
-                    exit(1);
-                }
-
-                return WS_FATAL_ERROR;
+                /* exit rather than return into the connection handler
+                 * while still at a raised privilege level */
+                exit(1);
             }
             if (dup2(stdoutPipe[1], STDOUT_FILENO) == -1) {
                 wolfSSH_Log(WS_LOG_ERROR,
                     "[SSHD] Error redirecting stdout pipe");
-                if (wolfSSHD_AuthReducePermissions(conn->auth) != WS_SUCCESS) {
-                    exit(1);
-                }
-
-                return WS_FATAL_ERROR;
+                /* exit rather than return into the connection handler
+                 * while still at a raised privilege level */
+                exit(1);
             }
             if (dup2(stderrPipe[1], STDERR_FILENO) == -1) {
                 wolfSSH_Log(WS_LOG_ERROR,
                     "[SSHD] Error redirecting stderr pipe");
-                if (wolfSSHD_AuthReducePermissions(conn->auth) != WS_SUCCESS) {
-                    exit(1);
-                }
-
-                return WS_FATAL_ERROR;
+                /* exit rather than return into the connection handler
+                 * while still at a raised privilege level */
+                exit(1);
             }
         }
 
         /* set additional groups if needed */
         if (wolfSSHD_AuthSetGroups(conn->auth, wolfSSH_GetUsername(ssh),
                 pPasswd->pw_gid) != WS_SUCCESS) {
             wolfSSH_Log(WS_LOG_ERROR, "[SSHD] Error setting groups");
-            if (wolfSSHD_AuthReducePermissions(conn->auth) != WS_SUCCESS) {
-                /* stop everything if not able to reduce permissions level */
-                exit(1);
-            }
-
-            return WS_FATAL_ERROR;
+            /* exit rather than return into the connection handler while
+             * still at a raised privilege level */
+            exit(1);
         }
 
         rc = SetupChroot(usrConf);
         if (rc < 0) {
             wolfSSH_Log(WS_LOG_ERROR, "[SSHD] Error setting chroot");
-            if (wolfSSHD_AuthReducePermissions(conn->auth) != WS_SUCCESS) {
-                /* stop everything if not able to reduce permissions level */
-                exit(1);
-            }
-
-            return WS_FATAL_ERROR;
+            /* exit rather than return into the connection handler while
+             * still at a raised privilege level */
+            exit(1);
         }
         else if (rc == 1) {
             rc = chdir("/");
             if (rc != 0) {
                 wolfSSH_Log(WS_LOG_ERROR,
                     "[SSHD] Error going to / after chroot");
-                if (wolfSSHD_AuthReducePermissions(conn->auth) != WS_SUCCESS) {
-                    /* stop everything if not able to reduce permissions level */
-                    exit(1);
-                }
-
-                return WS_FATAL_ERROR;
+                /* exit rather than return into the connection handler
+                 * while still at a raised privilege level */
+                exit(1);
             }
         }
 
         if (wolfSSHD_AuthReducePermissionsUser(conn->auth, pPasswd->pw_uid,
             pPasswd->pw_gid) != WS_SUCCESS) {
             wolfSSH_Log(WS_LOG_ERROR, "[SSHD] Error setting user ID");
-            if (wolfSSHD_AuthReducePermissions(conn->auth) != WS_SUCCESS) {
-                /* stop everything if not able to reduce permissions level */
-                exit(1);
-            }
-
-            return WS_FATAL_ERROR;
+            /* could not drop to the authenticated user; terminate this
+             * child rather than return into the connection handler at a
+             * higher privilege level */
+            exit(1);
         }
 
         setenv("HOME", pPasswd->pw_dir, 1);
@@ -1559,12 +1538,11 @@ static int SHELL_Subsystem(WOLFSSHD_CONNECTION* conn, WOLFSSH* ssh,
     if (wolfSSHD_AuthReducePermissionsUser(conn->auth, pPasswd->pw_uid,
         pPasswd->pw_gid) != WS_SUCCESS) {
         wolfSSH_Log(WS_LOG_ERROR, "[SSHD] Error setting user ID");
-        if (wolfSSHD_AuthReducePermissions(conn->auth) != WS_SUCCESS) {
-            /* stop everything if not able to reduce permissions level */
-            exit(1);
-        }
-
-        return WS_FATAL_ERROR;
+        /* could not drop to the authenticated user; kill the already
+         * forked shell child and terminate the per-connection process
+         * rather than continue at a higher privilege level */
+        kill(childPid, SIGKILL);
+        exit(1);
     }
     sshFd = wolfSSH_get_fd(ssh);
 
@@ -2097,7 +2075,8 @@ static void* HandleConnection(void* arg)
                 #ifdef WOLFSSH_SHELL
                     if (ret == WS_SUCCESS) {
                         wolfSSH_Log(WS_LOG_INFO, "[SSHD] Entering new shell");
-                        SHELL_Subsystem(conn, ssh, pPasswd, usrConf, NULL);
+                        ret = SHELL_Subsystem(conn, ssh, pPasswd, usrConf,
+                                NULL);
                     }
                 #else
                     wolfSSH_Log(WS_LOG_ERROR,
@@ -2143,7 +2122,7 @@ static void* HandleConnection(void* arg)
                         wolfSSH_Log(WS_LOG_INFO,
                             "[SSHD] Entering exec session [%s]",
                                 wolfSSH_GetSessionCommand(ssh));
-                        SHELL_Subsystem(conn, ssh, pPasswd, usrConf,
+                        ret = SHELL_Subsystem(conn, ssh, pPasswd, usrConf,
                                 wolfSSH_GetSessionCommand(ssh));
                     }
                 #endif /* WOLFSSH_SHELL */