From e1f72a00e19e237851ed5167bb84b4408adfde3c Mon Sep 17 00:00:00 2001
From: JacobBarthelmeh <jacob@wolfssl.com>
Date: Wed, 31 Aug 2022 10:34:13 -0700
Subject: [PATCH] chroot and reduce permissions after forkpty

---
 apps/wolfsshd/wolfsshd.c | 52 ++++++++++++++++++++++++----------------
 1 file changed, 31 insertions(+), 21 deletions(-)

diff --git a/apps/wolfsshd/wolfsshd.c b/apps/wolfsshd/wolfsshd.c
index 8ed9cf63..d7c35a02 100644
--- a/apps/wolfsshd/wolfsshd.c
+++ b/apps/wolfsshd/wolfsshd.c
@@ -434,27 +434,6 @@ static int SHELL_Subsystem(WOLFSSHD_CONNECTION* conn, WOLFSSH* ssh,
     }
 
     ChildRunning = 1;
-    if (SetupChroot(usrConf) < 0) {
-        wolfSSH_Log(WS_LOG_ERROR, "[SSHD] Error setting chroot");
-        if (wolfSSHD_AuthReducePermissions(conn->auth) != WS_SUCCESS) {
-            /* stop everything if not able to reduce permissions level */
-            exit(1);
-        }
-
-        return WS_FATAL_ERROR;
-    }
-
-    if (wolfSSHD_AuthReducePermissionsUser(conn->auth, pPasswd->pw_uid,
-        pPasswd->pw_gid) != WS_SUCCESS) {
-        wolfSSH_Log(WS_LOG_ERROR, "[SSHD] Error setting user ID");
-        if (wolfSSHD_AuthReducePermissions(conn->auth) != WS_SUCCESS) {
-            /* stop everything if not able to reduce permissions level */
-            exit(1);
-        }
-
-        return WS_FATAL_ERROR;
-    }
-
     childPid = forkpty(&childFd, NULL, NULL, NULL);
     if (childPid < 0) {
         /* forkpty failed, so return */
@@ -471,6 +450,27 @@ static int SHELL_Subsystem(WOLFSSHD_CONNECTION* conn, WOLFSSH* ssh,
         signal(SIGINT,  SIG_DFL);
         signal(SIGCHLD, SIG_DFL);
 
+        if (SetupChroot(usrConf) < 0) {
+            wolfSSH_Log(WS_LOG_ERROR, "[SSHD] Error setting chroot");
+            if (wolfSSHD_AuthReducePermissions(conn->auth) != WS_SUCCESS) {
+                /* stop everything if not able to reduce permissions level */
+                exit(1);
+            }
+
+            return WS_FATAL_ERROR;
+        }
+
+        if (wolfSSHD_AuthReducePermissionsUser(conn->auth, pPasswd->pw_uid,
+            pPasswd->pw_gid) != WS_SUCCESS) {
+            wolfSSH_Log(WS_LOG_ERROR, "[SSHD] Error setting user ID");
+            if (wolfSSHD_AuthReducePermissions(conn->auth) != WS_SUCCESS) {
+                /* stop everything if not able to reduce permissions level */
+                exit(1);
+            }
+
+            return WS_FATAL_ERROR;
+        }
+
         setenv("HOME", pPasswd->pw_dir, 1);
         setenv("LOGNAME", pPasswd->pw_name, 1);
         rc = chdir(pPasswd->pw_dir);
@@ -503,6 +503,16 @@ static int SHELL_Subsystem(WOLFSSHD_CONNECTION* conn, WOLFSSH* ssh,
         exit(0); /* exit child process and close down SSH connection */
     }
 
+    if (wolfSSHD_AuthReducePermissionsUser(conn->auth, pPasswd->pw_uid,
+        pPasswd->pw_gid) != WS_SUCCESS) {
+        wolfSSH_Log(WS_LOG_ERROR, "[SSHD] Error setting user ID");
+        if (wolfSSHD_AuthReducePermissions(conn->auth) != WS_SUCCESS) {
+            /* stop everything if not able to reduce permissions level */
+            exit(1);
+        }
+
+        return WS_FATAL_ERROR;
+    }
     sshFd = wolfSSH_get_fd(ssh);
 
     struct termios tios;