diff -Naur pppd.orig/eap.c pppd/eap.c
--- pppd.orig/eap.c	2024-09-18 06:30:31.000000000 +0200
+++ pppd/eap.c	2024-10-07 16:18:53.077603533 +0200
@@ -1542,7 +1542,7 @@
 
 	if ((path = name_of_pn_file()) == NULL)
 		return (-1);
-	fd = open(path, modebits, S_IRUSR | S_IWUSR);
+	fd = open(path, modebits, S_IRUSR | S_IWUSR | O_CLOEXEC);
 	err = errno;
 	free(path);
 	errno = err;
diff -Naur pppd.orig/main.c pppd/main.c
--- pppd.orig/main.c	2024-09-18 06:30:31.000000000 +0200
+++ pppd/main.c	2024-10-07 16:19:34.702106298 +0200
@@ -491,7 +491,7 @@
 	die(0);
 
     /* Make sure fds 0, 1, 2 are open to somewhere. */
-    fd_devnull = open(PPP_DEVNULL, O_RDWR);
+    fd_devnull = open(PPP_DEVNULL, O_RDWR | O_CLOEXEC);
     if (fd_devnull < 0)
 	fatal("Couldn't open %s: %m", PPP_DEVNULL);
     while (fd_devnull <= 2) {
diff -Naur pppd.orig/options.c pppd/options.c
--- pppd.orig/options.c	2024-09-18 06:30:31.000000000 +0200
+++ pppd/options.c	2024-10-07 16:21:04.207954343 +0200
@@ -1736,9 +1736,9 @@
 	ppp_option_error("unable to drop permissions to open %s: %m", *argv);
 	return 0;
     }
-    fd = open(*argv, O_WRONLY | O_APPEND | O_CREAT | O_EXCL, 0644);
+    fd = open(*argv, O_WRONLY | O_APPEND | O_CREAT | O_EXCL | O_CLOEXEC, 0644);
     if (fd < 0 && errno == EEXIST)
-	fd = open(*argv, O_WRONLY | O_APPEND);
+	fd = open(*argv, O_WRONLY | O_APPEND | O_CLOEXEC);
     err = errno;
     if (!privileged_option && seteuid(euid) == -1)
 	fatal("unable to regain privileges: %m");
diff -Naur pppd.orig/sys-linux.c pppd/sys-linux.c
--- pppd.orig/sys-linux.c	2024-09-18 06:30:31.000000000 +0200
+++ pppd/sys-linux.c	2024-10-07 16:27:42.282472415 +0200
@@ -656,7 +656,7 @@
 	    goto err;
 	}
 	dbglog("using channel %d", chindex);
-	fd = open("/dev/ppp", O_RDWR);
+	fd = open("/dev/ppp", O_RDWR | O_CLOEXEC);
 	if (fd < 0) {
 	    error("Couldn't reopen /dev/ppp: %m");
 	    goto err;
@@ -894,7 +894,7 @@
 		dbglog("in make_ppp_unit, already had /dev/ppp open?");
 		close(ppp_dev_fd);
 	}
-	ppp_dev_fd = open("/dev/ppp", O_RDWR);
+	ppp_dev_fd = open("/dev/ppp", O_RDWR | O_CLOEXEC);
 	if (ppp_dev_fd < 0)
 		fatal("Couldn't open /dev/ppp: %m");
 	flags = fcntl(ppp_dev_fd, F_GETFL);
@@ -1015,7 +1015,7 @@
 	if (!new_style_driver)
 		return -1;
 
-	master_fd = open("/dev/ppp", O_RDWR);
+	master_fd = open("/dev/ppp", O_RDWR | O_CLOEXEC);
 	if (master_fd < 0)
 		fatal("Couldn't open /dev/ppp: %m");
 	if (ioctl(master_fd, PPPIOCATTACH, &ifnum) < 0) {
@@ -2541,7 +2541,7 @@
 	if (tune_kernel) {
 	    forw_path = path_to_procfs("/sys/net/ipv4/ip_forward");
 	    if (forw_path != 0) {
-		int fd = open(forw_path, O_WRONLY);
+		int fd = open(forw_path, O_WRONLY | O_CLOEXEC);
 		if (fd >= 0) {
 		    if (write(fd, "1", 1) != 1)
 			error("Couldn't enable IP forwarding: %m");
@@ -2886,7 +2886,7 @@
     sscanf(utsname.release, "%d.%d.%d", &osmaj, &osmin, &ospatch);
     kernel_version = KVERSION(osmaj, osmin, ospatch);
 
-    fd = open("/dev/ppp", O_RDWR);
+    fd = open("/dev/ppp", O_RDWR | O_CLOEXEC);
     if (fd >= 0) {
 	new_style_driver = 1;
 
@@ -3064,7 +3064,7 @@
 #if __GLIBC__ >= 2
     updwtmp(_PATH_WTMP, &ut);
 #else
-    wtmp = open(_PATH_WTMP, O_APPEND|O_WRONLY);
+    wtmp = open(_PATH_WTMP, O_APPEND|O_WRONLY|O_CLOEXEC);
     if (wtmp >= 0) {
 	flock(wtmp, LOCK_EX);
 
@@ -3288,7 +3288,7 @@
 	int fd;
 
 	path = path_to_procfs("/sys/net/ipv4/ip_dynaddr");
-	if (path != 0 && (fd = open(path, O_WRONLY)) >= 0) {
+	if (path != 0 && (fd = open(path, O_WRONLY | O_CLOEXEC)) >= 0) {
 	    if (write(fd, "1", 1) != 1)
 		error("Couldn't enable dynamic IP addressing: %m");
 	    close(fd);
@@ -3542,7 +3542,7 @@
     /*
      * Try the unix98 way first.
      */
-    mfd = open("/dev/ptmx", O_RDWR);
+    mfd = open("/dev/ptmx", O_RDWR | O_CLOEXEC);
     if (mfd >= 0) {
 	int ptn;
 	if (ioctl(mfd, TIOCGPTN, &ptn) >= 0) {
@@ -3553,7 +3553,8 @@
 	    if (ioctl(mfd, TIOCSPTLCK, &ptn) < 0)
 		warn("Couldn't unlock pty slave %s: %m", pty_name);
 #endif
-	    if ((sfd = open(pty_name, O_RDWR | O_NOCTTY)) < 0)
+
+	    if ((sfd = open(pty_name, O_RDWR | O_NOCTTY | O_CLOEXEC)) < 0)
 	    {
 		warn("Couldn't open pty slave %s: %m", pty_name);
 		close(mfd);
@@ -3567,10 +3568,10 @@
 	for (i = 0; i < 64; ++i) {
 	    slprintf(pty_name, sizeof(pty_name), "/dev/pty%c%x",
 		     'p' + i / 16, i % 16);
-	    mfd = open(pty_name, O_RDWR, 0);
+	    mfd = open(pty_name, O_RDWR | O_CLOEXEC, 0);
 	    if (mfd >= 0) {
 		pty_name[5] = 't';
-		sfd = open(pty_name, O_RDWR | O_NOCTTY, 0);
+		sfd = open(pty_name, O_RDWR | O_NOCTTY | O_CLOEXEC, 0);
 		if (sfd >= 0) {
 		    ret = fchown(sfd, uid, -1);
 		    if (ret != 0) {
diff -Naur pppd.orig/tdb.c pppd/tdb.c
--- pppd.orig/tdb.c	2024-09-18 06:30:31.000000000 +0200
+++ pppd/tdb.c	2024-10-07 16:30:04.033122023 +0200
@@ -1276,7 +1276,7 @@
 	}
 
 again:
-	if ((tdb->fd = open(name, open_flags, mode)) == -1) {
+	if ((tdb->fd = open(name, open_flags | O_CLOEXEC, mode)) == -1) {
 		if ((open_flags & O_CREAT) && errno == ENOENT &&
 			mkdir_recursive(PPP_PATH_VARRUN) == 0)
 			goto again;
diff -Naur pppd.orig/tty.c pppd/tty.c
--- pppd.orig/tty.c	2024-09-18 06:30:31.000000000 +0200
+++ pppd/tty.c	2024-10-07 16:31:11.161674911 +0200
@@ -621,7 +621,7 @@
 				ppp_set_status(EXIT_OPEN_FAILED);
 				goto errret;
 			}
-			real_ttyfd = open(devnam, O_NONBLOCK | O_RDWR, 0);
+			real_ttyfd = open(devnam, O_NONBLOCK | O_RDWR | O_CLOEXEC, 0);
 			err = errno;
 			if (prio < OPRIO_ROOT && seteuid(0) == -1)
 				fatal("Unable to regain privileges");
@@ -775,7 +775,7 @@
 	if (connector == NULL && modem && devnam[0] != 0) {
 		int i;
 		for (;;) {
-			if ((i = open(devnam, O_RDWR)) >= 0)
+			if ((i = open(devnam, O_RDWR | O_CLOEXEC)) >= 0)
 				break;
 			if (errno != EINTR) {
 				error("Failed to reopen %s: %m", devnam);
diff -Naur pppd.orig/utils.c pppd/utils.c
--- pppd.orig/utils.c	2024-09-18 06:30:31.000000000 +0200
+++ pppd/utils.c	2024-10-07 16:32:37.780775463 +0200
@@ -926,14 +926,14 @@
     slprintf(lock_file, sizeof(lock_file), "%s/LCK..%s", PPP_PATH_LOCKDIR, dev);
 #endif
 
-    while ((fd = open(lock_file, O_EXCL | O_CREAT | O_RDWR, 0644)) < 0) {
+    while ((fd = open(lock_file, O_EXCL | O_CREAT | O_RDWR | O_CLOEXEC, 0644)) < 0) {
 	if (errno != EEXIST) {
 	    error("Can't create lock file %s: %m", lock_file);
 	    break;
 	}
 
 	/* Read the lock file to find out who has the device locked. */
-	fd = open(lock_file, O_RDONLY, 0);
+	fd = open(lock_file, O_RDONLY | O_CLOEXEC, 0);
 	if (fd < 0) {
 	    if (errno == ENOENT) /* This is just a timing problem. */
 		continue;
@@ -1016,7 +1016,7 @@
 
     if (lock_file[0] == 0)
 	return -1;
-    fd = open(lock_file, O_WRONLY, 0);
+    fd = open(lock_file, O_WRONLY | O_CLOEXEC, 0);
     if (fd < 0) {
 	error("Couldn't reopen lock file %s: %m", lock_file);
 	lock_file[0] = 0;