If you change write to be set-uid root, you must add in two things:
One is a setuid(geteuid()) before the exec for a shell escape. almost
as important, but less obvious, is that you must scrutinize the optional
ttyname arguement to prevent things like
write user ../etc/passwd
This would of course be disasterous...