From 3e8e3350f28d719a890f42302d9a6ea79c6ccd11 Mon Sep 17 00:00:00 2001
From: deraadt <>
Date: Mon, 23 Feb 2026 16:47:07 +0000
Subject: nc(1) has the more crazy unveil + pledge configuration based upon
 argument flags.  I think this correctly replaces "tmppath" with an unveil.

---
 src/usr.bin/nc/netcat.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'src/usr.bin')

diff --git a/src/usr.bin/nc/netcat.c b/src/usr.bin/nc/netcat.c
index 6438fbbc5d..9361ff50cd 100644
--- a/src/usr.bin/nc/netcat.c
+++ b/src/usr.bin/nc/netcat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: netcat.c,v 1.237 2025/12/06 09:48:30 phessler Exp $ */
+/* $OpenBSD: netcat.c,v 1.238 2026/02/23 16:47:07 deraadt Exp $ */
 /*
  * Copyright (c) 2001 Eric Jackson <ericj@monkey.org>
  * Copyright (c) 2015 Bob Beck.  All rights reserved.
@@ -381,6 +381,8 @@ main(int argc, char *argv[])
 		 */
 	} else {
 		if (family == AF_UNIX) {
+			if (unveil("/tmp", "rwc") == -1)
+				err(1, "unveil /tmp");
 			if (unveil(host, "rwc") == -1)
 				err(1, "unveil %s", host);
 			if (uflag && !kflag) {
@@ -400,7 +402,7 @@ main(int argc, char *argv[])
 	}
 
 	if (family == AF_UNIX) {
-		if (pledge("stdio rpath wpath cpath tmppath unix", NULL) == -1)
+		if (pledge("stdio rpath wpath cpath unix", NULL) == -1)
 			err(1, "pledge");
 	} else if (Fflag && Pflag) {
 		if (pledge("stdio inet dns sendfd tty", NULL) == -1)
-- 
cgit v1.2.3-55-g6feb