Index: usr.bin/last/last.c
===================================================================
--- usr.bin/last/last.c
+++ usr.bin/last/last.c
@@ -40,6 +40,7 @@
 __FBSDID("$FreeBSD$");
 
 #include <sys/param.h>
+#include <sys/capsicum.h>
 #include <sys/stat.h>
 
 #include <err.h>
@@ -47,6 +48,7 @@
 #include <fcntl.h>
 #include <langinfo.h>
 #include <locale.h>
+#include <nl_types.h>
 #include <paths.h>
 #include <signal.h>
 #include <stdio.h>
@@ -117,6 +119,7 @@
 int
 main(int argc, char *argv[])
 {
+	cap_rights_t rights;
 	int ch;
 	char *p;
 
@@ -176,6 +179,28 @@
 			usage();
 		}
 
+	cap_rights_init(&rights, CAP_FSTAT, CAP_IOCTL, CAP_READ, CAP_WRITE);
+	if ((cap_rights_limit(STDIN_FILENO, &rights) < 0 && errno != ENOSYS) ||
+	    (cap_rights_limit(STDOUT_FILENO, &rights) < 0 && errno != ENOSYS) ||
+	    (cap_rights_limit(STDERR_FILENO, &rights) < 0 && errno != ENOSYS))
+		err(1, "can't limit stdio rights");
+
+	/*
+	 * Cache NLS data, for strerror, for err(3), before entering capability
+	 * mode.
+	 */
+	(void)catopen("libc", NL_CAT_LOCALE);
+
+	/* Cache timezone. */
+	tzset();
+
+	/* Cache UTX database. */
+	if (setutxdb(UTXDB_LOG, file) != 0)
+		err(1, "%s", file != NULL ? file : "(default utx db)");
+
+	if (cap_enter() < 0 && errno != ENOSYS)
+		err(1, "cap_enter");
+
 	if (sflag && width == 8) usage();
 
 	if (argc) {
@@ -213,8 +238,6 @@
 	(void)time(&t);
 
 	/* Load the last entries from the file. */
-	if (setutxdb(UTXDB_LOG, file) != 0)
-		err(1, "%s", file);
 	while ((ut = getutxent()) != NULL) {
 		if (amount % 128 == 0) {
 			buf = realloc(buf, (amount + 128) * sizeof *ut);