#!/usr/bin/env bash
#
# Entrypoint for the CVE-2026-34486 vulnerable Tomcat node.
#
# Responsibilities:
#  1. Clean-baseline: ensure no exploit marker is staged from a previous run.
#     The verifier dictates the marker path at exploit time; markers are expected
#     under /tmp (the conventional location the exploit's command will target) and
#     /marker (a writable dir owned by the tomcat user, handy for arbitrary paths).
#     We wipe both on every boot so a restart yields an unambiguous clean state.
#  2. Run Catalina as the unprivileged 'tomcat' service user, so any file the
#     hijacked control flow creates is owned by that uid -- the identity the
#     criterion's privileged channel checks against.
#
set -euo pipefail

# --- clean baseline: remove any stale markers ---
rm -rf /marker/* 2>/dev/null || true
# Remove anything previously dropped in /tmp that looks like a marker. We do NOT
# blanket-wipe /tmp (Tomcat itself uses CATALINA_TMPDIR), only pwn-style files.
find /tmp -maxdepth 1 -name 'pwned*' -delete 2>/dev/null || true
find /tmp -maxdepth 1 -name 'marker*' -delete 2>/dev/null || true

mkdir -p /marker
chown tomcat:tomcat /marker
chmod 0775 /marker

# Hand the JVM to the unprivileged service user. exec via gosu so signals/PID1
# semantics are preserved.
exec gosu tomcat:tomcat "$@"