commit - 0635dc046417cbcfd2944326b9dd4137e64c621b
commit + 56a87f5f8b4cfa636f857cd91e738c4c3e37da27
blob - d391c772c093bfb9dd16ddf068fc91a7b353a033
blob + 89600edc8ee876fb09530238614b61afc9313a67
--- vias.c
+++ vias.c
@@ -440,7 +440,7 @@ main(int argc, char **argv)
 	if ((tfd = mkstemp(tmpfile)) == -1)
 		err(1, "mkstemp failed");
 
-	if (pledge("stdio rpath cpath exec proc tty", NULL) == -1)
+	if (pledge("stdio rpath wpath cpath exec proc tty", NULL) == -1)
 		err(1, "pledge");
 
 	if (!fcpy(tfd, ofd)) {
@@ -453,7 +453,7 @@ main(int argc, char **argv)
 	else
 		cwd = cwdpath;
 
-	if (pledge("stdio cpath exec proc tty", NULL) == -1)
+	if (pledge("stdio rpath wpath cpath exec proc tty", NULL) == -1)
 		err(1, "pledge");
 
 	syslog(LOG_AUTHPRIV | LOG_INFO, "%s edited %s from %s",
@@ -483,11 +483,13 @@ main(int argc, char **argv)
 		execvp(eargv[0], eargv);
 		err(1, "execvp failed");
 	default:
-		if (pledge("stdio cpath proc tty", NULL) == -1)
+		if (pledge("stdio rpath wpath cpath proc tty", NULL) == -1)
 			err(1, "pledge");
 
 		(void)setpgid(vipid, 0);
 		ttyfd = open("/dev/tty", O_RDWR);
+		if (pledge("stdio cpath proc tty", NULL) == -1)
+			err(1, "pledge");
 		if (ttyfd != -1)
 			(void)tcsetpgrp(ttyfd, vipid);
 		while ((ret = waitpid(vipid, &status, 0)) == -1 &&