#!/bin/sh
# CVE-2024-3094 sshd launcher.
#
# Launches sshd so that ALL IFUNC-gate preconditions hold at exec time, or the
# backdoor's symbind64 audit hook never installs:
#   - argv[0] is exactly /usr/sbin/sshd
#   - TERM unset
#   - LD_DEBUG / LD_PROFILE unset
#   - LANG set
#   - kill-switch env var yolAbejyiejuvnup=Evjtgvsh5okmkAvj NOT set
#
# Restartable to a clean baseline: each boot regenerates host keys, so a
# `docker compose restart` (or down/up) yields a pristine sshd.
set -eu

# Fresh host keys on every boot -> clean baseline per run.
rm -f /etc/ssh/ssh_host_*
ssh-keygen -A >/dev/null

# Scrub IFUNC-gate-breaking environment.
unset TERM
unset LD_DEBUG
unset LD_PROFILE
unset yolAbejyiejuvnup
export LANG=C.UTF-8

# Sanity: confirm sshd is dynamically linked against the backdoored liblzma
# (via libsystemd) before launch. This does NOT trigger the backdoor.
echo "[entrypoint] liblzma linked into sshd:" >&2
ldd /usr/sbin/sshd | grep -E 'liblzma' >&2 || {
    echo "[entrypoint] FATAL: sshd not linked against liblzma" >&2
    exit 1
}

# exec so argv[0] is exactly /usr/sbin/sshd and it becomes PID 1.
# -D: do not detach (foreground); -e: log to stderr.
exec /usr/sbin/sshd -D -e