When we create a new socket descriptor to be "closed" by libldap, go ahead and mark it close-on-exec, just like we try to do with real LDAP client sockets. diff -up nss_ldap-253/ldap-nss.c nss_ldap-259/ldap-nss.c --- nss_ldap-253/ldap-nss.c 2008-05-16 12:49:23.000000000 -0400 +++ nss_ldap-253/ldap-nss.c 2008-05-16 12:49:18.000000000 -0400 @@ -891,14 +891,18 @@ do_drop_connection(int sd, int closeSd) done. */ savedfd = do_dupfd (sd, -1); dummyfd = socket (AF_INET, SOCK_STREAM, 0); - if (dummyfd > -1 && dummyfd != sd) - { - /* we must let dup2 close sd for us to avoid race conditions - * in multithreaded code. - */ - do_dupfd (dummyfd, sd); - do_closefd (dummyfd); - } + if (dummyfd > -1) + { + (void) fcntl (dummyfd, F_SETFD, FD_CLOEXEC); + if (dummyfd != sd) + { + /* we must let dup2 close sd for us to avoid race conditions + * in multithreaded code. + */ + do_dupfd (dummyfd, sd); + do_closefd (dummyfd); + } + } #ifdef HAVE_LDAP_LD_FREE #if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)