I guess I didn't make myself totally clear. I said the fix was to make utmp not world writtable (and I believe I mentioned a workaround using a group (the tty group temporarily, since only staff types would be using xterms on the given system). But the fact remains Xterm really needs to be SUID root so it can change perms and OWNERSHIP on its pty to the user. Let me suggest that you take a look at the SysV Release 4 pty mechanism. I'll be vain enough to claim partial credit for the design. With it, you don't need root to allocate a pty. A single subroutine -- and a hidden setuid root program allocate the pty, change the ownership, set the modes -- and do it all without the usual race conditions that BSD-derived systems need root privileges, vhangup(), and assorted other misfeatures to bypass. It works like this. The pty user opens a pty master (which, btw, is a clone device; no nonsense about looping through some fixed number of possible ptys). The open file descriptor for the master end -- and that's not reopenable, and it won't be allocated unless the slave end is idle -- is passed to this setuid root program. From the master fd, it determines the name of the corresponding slave device, and chowns and chmods it. It then issues an ioctl unlocking it -- until that ioctl is issued, attempts to open the slave device will fail. Presto -- no race on open permissions. I forget if the subroutine opens the slave end for the caller, or just passes back the name, but either way, the interface is much easier. I also don't remember if utmp is handled by this routine, but the extension is obvious -- you pass around the master end fd, and a small trusted program does the appropriate diddles. But since xterm was SUID root to accomplish this, and a bug in XTERM made it possible to alter system files, Sun's apparant fix was to make utmp world-writeable, all the pty's world-writeable, and remove the SUID bit from Xterm. You've got the causality wrong. Sun had a writable wtmp years ago, precisely to avoid making terminal emulators setuid root. The bug -- probably inevitable -- bit folks who used MIT's xterm, because MIT didn't see the danger. One could use a variation on that pty command available off the net, it works fine, but, alas, *IT* has to run SUID root, too in order to be able to chown the pty to the user... Something has to run setuid root, but it doesn't have to be a whale.