diff --git a/src/xz/file_io.c b/src/xz/file_io.c
index aca9ebae..382fc02c 100644
--- a/src/xz/file_io.c
+++ b/src/xz/file_io.c
@@ -192,6 +192,9 @@ io_sandbox_enter(int src_fd)
 	// Capsicum needs FreeBSD 10.0 or later.
 	cap_rights_t rights;
 
+	if (cap_enter())
+		goto error;
+
 	if (cap_rights_limit(src_fd, cap_rights_init(&rights,
 			CAP_EVENT, CAP_FCNTL, CAP_LOOKUP, CAP_READ, CAP_SEEK)))
 		goto error;
@@ -209,9 +212,6 @@ io_sandbox_enter(int src_fd)
 			CAP_WRITE)))
 		goto error;
 
-	if (cap_enter())
-		goto error;
-
 #elif defined(HAVE_PLEDGE)
 	// pledge() was introduced in OpenBSD 5.9.
 	//