Every file descriptor we open in our libraries should probably have the close-on-exec flag set as quickly as possible, on UNIX, in case the application is running multithreaded and another thread calls fork and exec while we're doing something with files or sockets.