unfortunately tame "stdio" can only happen well after the sequence of:

utmp parsing, tty opening, setresgid to drop privs.  it only protects
a basic io loop.
discussed with doug

diff --git a/usr.bin/write/write.c b/usr.bin/write/write.c
index 1f7f10a..d239d27 100644 (file)
--- a/usr.bin/write/write.c
+++ b/usr.bin/write/write.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: write.c,v 1.29 2015/10/05 07:09:46 deraadt Exp $      */
+/*     $OpenBSD: write.c,v 1.30 2015/10/06 03:25:02 deraadt Exp $      */
 /*     $NetBSD: write.c,v 1.5 1995/08/31 21:48:32 jtc Exp $    */
 
 /*
@@ -246,6 +246,13 @@ do_write(char *tty, char *mytty, uid_t myuid)
        if (setresgid(gid, gid, gid) == -1)
                err(1, "setresgid");
 
+       /*
+        * Unfortunately this is rather late - well after utmp
+        * parsing, then pinned by the tty open and setresgid
+        */
+       if (tame("stdio", NULL) == -1)
+               err(1, "tame");
+
        (void)signal(SIGINT, done);
        (void)signal(SIGHUP, done);