>> 	i have the same question.  how do the daemon authenticate the
>> 	guy who asked for wtmp/utmp writes?
>The first obvious check is (for a session start record) to ensure that
>the user owns the tty he's beginning his new session on.  Some other
>sanity checks can be done to further enhance the reliability and
>integrity of this scheme too (such as checking that the user does not
>have write permission in /dev, etc.)

	still, a bad guy can write an application just for overflowing /var.
	with setuid'ed xterm, it is not really possible (bad guy may be able to
	start as many xterm as I can).  i don't have the complete solution
	anyways but i think it still better to use setuid'ed xterm (of course,
	xterm should drop setuid earliest possible).

itojun