Index: usr.bin/last/last.c
===================================================================
--- usr.bin/last/last.c
+++ usr.bin/last/last.c
@@ -40,6 +40,7 @@
 __FBSDID("$FreeBSD$");
 
 #include <sys/param.h>
+#include <sys/capsicum.h>
 #include <sys/stat.h>
 
 #include <err.h>
@@ -47,6 +48,7 @@
 #include <fcntl.h>
 #include <langinfo.h>
 #include <locale.h>
+#include <nl_types.h>
 #include <paths.h>
 #include <signal.h>
 #include <stdio.h>
@@ -117,12 +119,37 @@
 int
 main(int argc, char *argv[])
 {
+	cap_rights_t rights;
 	int ch;
 	char *p;
 
 	(void) setlocale(LC_TIME, "");
 	d_first = (*nl_langinfo(D_MD_ORDER) == 'd');
 
+	cap_rights_init(&rights, CAP_FSTAT, CAP_IOCTL, CAP_READ, CAP_WRITE);
+	if ((cap_rights_limit(STDIN_FILENO, &rights) < 0 && errno != ENOSYS) ||
+	    (cap_rights_limit(STDOUT_FILENO, &rights) < 0 && errno != ENOSYS) ||
+	    (cap_rights_limit(STDERR_FILENO, &rights) < 0 && errno != ENOSYS))
+		err(1, "can't limit stdio rights");
+
+	/*
+	 * Cache NLS data, for strerror, for err(3), before entering capability
+	 * mode.
+	 */
+	(void)catopen("libc", NL_CAT_LOCALE);
+
+	/*
+	 * Cache UTX database fds.
+	 */
+	setutxent();
+	endutxent();
+
+	/* Cache timezone. */
+	tzset();
+
+	if (cap_enter() < 0 && errno != ENOSYS)
+		err(1, "cap_enter");
+
 	maxrec = -1;
 	snaptime = 0;
 	while ((ch = getopt(argc, argv, "0123456789d:f:h:n:st:wy")) != -1)