From: Marc Espie Subject: usr.bin/write hardening & cleanup To: tech@openbsd.org Date: Tue, 9 Jun 2026 10:53:54 +0200 It is possible to pledge() on startup, which seems like a good idea since write is sgid tty. Also, replace the obnoxious ctime code with hardcoded indices to a more modern use of strftime. Index: write.c =================================================================== RCS file: /vide/cvs/src/usr.bin/write/write.c,v diff -u -p -r1.36 write.c --- write.c 24 Oct 2021 21:24:18 -0000 1.36 +++ write.c 9 Jun 2026 08:51:23 -0000 @@ -65,6 +65,8 @@ main(int argc, char *argv[]) time_t atime; uid_t myuid; + if (pledge("stdio rpath wpath id", NULL) == -1) + err(1, "pledge"); /* check that sender has write enabled */ if (isatty(fileno(stdin))) myttyfd = fileno(stdin); @@ -225,9 +227,9 @@ void do_write(char *tty, char *mytty, uid_t myuid) { const char *login; - char *nows; - time_t now; char path[PATH_MAX], host[HOST_NAME_MAX+1], line[512]; + time_t now; + char nows[12]; gid_t gid; int fd; @@ -263,11 +265,10 @@ do_write(char *tty, char *mytty, uid_t m /* print greeting */ if (gethostname(host, sizeof(host)) == -1) (void)strlcpy(host, "???", sizeof host); - now = time(NULL); - nows = ctime(&now); - nows[16] = '\0'; + time(&now); + strftime(nows, sizeof nows, "%H:%M", localtime(&now)); (void)printf("\r\n\007\007\007Message from %s@%s on %s at %s ...\r\n", - login, host, mytty, nows + 11); + login, host, mytty, nows); while (fgets(line, sizeof(line), stdin) != NULL) wr_fputs(line);