Since the dawn of time, this has contained freopen() for the tty path

with mode "w", as root, since "w" implies O_CREAT. That will create the raw file in /dev if it does not yet exist (due to a lie in utmp). It should use "r+", to open it for for O_RDWR only. Oh man this reminds me of 1988, how old is this bug? ok doug
author: deraadt <deraadt@openbsd.org> 2015-10-05 07:09:46 +0000
committer: deraadt <deraadt@openbsd.org> 2015-10-05 07:09:46 +0000
commit: fc0cd8cb943fedf9e271ebd66105beb1d79efa77 (patch)
tree: fa57a4c5f1eefb9d412beb67178e1ffca52b8076 /usr.bin/write/write.c
parent: tame "stdio rpath" initially; if we find out the only file operated on (diff)
download: wireguard-openbsd-fc0cd8cb943fedf9e271ebd66105beb1d79efa77.tar.xz
wireguard-openbsd-fc0cd8cb943fedf9e271ebd66105beb1d79efa77.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/usr.bin/write/write.c b/usr.bin/write/write.c
index be3bc10b964..1f7f10a2474 100644
--- a/usr.bin/write/write.c
+++ b/usr.bin/write/write.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: write.c,v 1.28 2015/01/16 06:40:14 deraadt Exp $	*/
+/*	$OpenBSD: write.c,v 1.29 2015/10/05 07:09:46 deraadt Exp $	*/
 /*	$NetBSD: write.c,v 1.5 1995/08/31 21:48:32 jtc Exp $	*/
 
 /*
@@ -238,7 +238,7 @@ do_write(char *tty, char *mytty, uid_t myuid)
 	}
 
 	(void)snprintf(path, sizeof(path), "%s%s", _PATH_DEV, tty);
-	if ((freopen(path, "w", stdout)) == NULL)
+	if ((freopen(path, "r+", stdout)) == NULL)
 		err(1, "%s", path);
 
 	/* revoke privs, now that we have opened the tty */
author	deraadt <deraadt@openbsd.org>	2015-10-05 07:09:46 +0000
committer	deraadt <deraadt@openbsd.org>	2015-10-05 07:09:46 +0000
commit	fc0cd8cb943fedf9e271ebd66105beb1d79efa77 (patch)
tree	fa57a4c5f1eefb9d412beb67178e1ffca52b8076 /usr.bin/write/write.c
parent	tame "stdio rpath" initially; if we find out the only file operated on (diff)
download	wireguard-openbsd-fc0cd8cb943fedf9e271ebd66105beb1d79efa77.tar.xz wireguard-openbsd-fc0cd8cb943fedf9e271ebd66105beb1d79efa77.zip