diff --git a/server.c b/server.c
index ff38a353..7ce1c99d 100644
--- a/server.c
+++ b/server.c
@@ -178,6 +178,10 @@ server_start(struct event_base *base, int lockfd, char *lockfile)
 	}
 	close(pair[0]);
 
+	if (pledge("stdio rpath wpath cpath fattr unix recvfd proc exec tty "
+	    "ps", NULL) != 0)
+		fatal("pledge failed");
+
 	/*
 	 * Must daemonise before loading configuration as the PID changes so
 	 * $TMUX would be wrong for sessions created in the config file.
diff --git a/tmux.c b/tmux.c
index 0b8e6a91..b2530285 100644
--- a/tmux.c
+++ b/tmux.c
@@ -19,6 +19,7 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 
+#include <err.h>
 #include <errno.h>
 #include <event.h>
 #include <fcntl.h>
@@ -254,6 +255,10 @@ main(int argc, char **argv)
 	if (shell_cmd != NULL && argc != 0)
 		usage();
 
+	if (pledge("stdio rpath wpath cpath flock fattr unix sendfd recvfd "
+	    "proc exec tty ps", NULL) != 0)
+		err(1, "pledge");
+
 	if (!(flags & CLIENT_UTF8)) {
 		/*
 		 * If the user has set whichever of LC_ALL, LC_CTYPE or LANG