diff -Naur pppd.orig/eap.c pppd/eap.c
--- pppd.orig/eap.c	2023-03-25 05:38:30.000000000 +0100
+++ pppd/eap.c	2023-06-30 12:58:07.984676045 +0200
@@ -1542,7 +1542,7 @@
 
 	if ((path = name_of_pn_file()) == NULL)
 		return (-1);
-	fd = open(path, modebits, S_IRUSR | S_IWUSR);
+	fd = open(path, modebits, S_IRUSR | S_IWUSR | O_CLOEXEC);
 	err = errno;
 	free(path);
 	errno = err;
diff -Naur pppd.orig/main.c pppd/main.c
--- pppd.orig/main.c	2023-03-25 05:38:30.000000000 +0100
+++ pppd/main.c	2023-06-30 13:00:15.155195676 +0200
@@ -479,7 +479,7 @@
 	die(0);
 
     /* Make sure fds 0, 1, 2 are open to somewhere. */
-    fd_devnull = open(PPP_DEVNULL, O_RDWR);
+    fd_devnull = open(PPP_DEVNULL, O_RDWR | O_CLOEXEC);
     if (fd_devnull < 0)
 	fatal("Couldn't open %s: %m", PPP_DEVNULL);
     while (fd_devnull <= 2) {
diff -Naur pppd.orig/options.c pppd/options.c
--- pppd.orig/options.c	2023-06-30 12:42:19.262593140 +0200
+++ pppd/options.c	2023-06-30 13:01:58.388323345 +0200
@@ -1718,9 +1718,9 @@
 	ppp_option_error("unable to drop permissions to open %s: %m", *argv);
 	return 0;
     }
-    fd = open(*argv, O_WRONLY | O_APPEND | O_CREAT | O_EXCL, 0644);
+    fd = open(*argv, O_WRONLY | O_APPEND | O_CREAT | O_EXCL | O_CLOEXEC, 0644);
     if (fd < 0 && errno == EEXIST)
-	fd = open(*argv, O_WRONLY | O_APPEND);
+	fd = open(*argv, O_WRONLY | O_APPEND | O_CLOEXEC);
     err = errno;
     if (!privileged_option && seteuid(euid) == -1)
 	fatal("unable to regain privileges: %m");
diff -Naur pppd.orig/sys-linux.c pppd/sys-linux.c
--- pppd.orig/sys-linux.c	2023-06-30 12:43:20.634453475 +0200
+++ pppd/sys-linux.c	2023-06-30 13:11:25.715511251 +0200
@@ -666,7 +666,7 @@
 	    goto err;
 	}
 	dbglog("using channel %d", chindex);
-	fd = open("/dev/ppp", O_RDWR);
+	fd = open("/dev/ppp", O_RDWR | O_CLOEXEC);
 	if (fd < 0) {
 	    error("Couldn't reopen /dev/ppp: %m");
 	    goto err;
@@ -904,7 +904,7 @@
 		dbglog("in make_ppp_unit, already had /dev/ppp open?");
 		close(ppp_dev_fd);
 	}
-	ppp_dev_fd = open("/dev/ppp", O_RDWR);
+	ppp_dev_fd = open("/dev/ppp", O_RDWR | O_CLOEXEC);
 	if (ppp_dev_fd < 0)
 		fatal("Couldn't open /dev/ppp: %m");
 	flags = fcntl(ppp_dev_fd, F_GETFL);
@@ -1025,7 +1025,7 @@
 	if (!new_style_driver)
 		return -1;
 
-	master_fd = open("/dev/ppp", O_RDWR);
+	master_fd = open("/dev/ppp", O_RDWR | O_CLOEXEC);
 	if (master_fd < 0)
 		fatal("Couldn't open /dev/ppp: %m");
 	if (ioctl(master_fd, PPPIOCATTACH, &ifnum) < 0) {
@@ -2533,7 +2533,7 @@
 	if (tune_kernel) {
 	    forw_path = path_to_procfs("/sys/net/ipv4/ip_forward");
 	    if (forw_path != 0) {
-		int fd = open(forw_path, O_WRONLY);
+		int fd = open(forw_path, O_WRONLY | O_CLOEXEC);
 		if (fd >= 0) {
 		    if (write(fd, "1", 1) != 1)
 			error("Couldn't enable IP forwarding: %m");
@@ -2878,7 +2878,7 @@
     sscanf(utsname.release, "%d.%d.%d", &osmaj, &osmin, &ospatch);
     kernel_version = KVERSION(osmaj, osmin, ospatch);
 
-    fd = open("/dev/ppp", O_RDWR);
+    fd = open("/dev/ppp", O_RDWR | O_CLOEXEC);
     if (fd >= 0) {
 	new_style_driver = 1;
 
@@ -3056,7 +3056,7 @@
 #if __GLIBC__ >= 2
     updwtmp(_PATH_WTMP, &ut);
 #else
-    wtmp = open(_PATH_WTMP, O_APPEND|O_WRONLY);
+    wtmp = open(_PATH_WTMP, O_APPEND|O_WRONLY|O_CLOEXEC);
     if (wtmp >= 0) {
 	flock(wtmp, LOCK_EX);
 
@@ -3280,7 +3280,7 @@
 	int fd;
 
 	path = path_to_procfs("/sys/net/ipv4/ip_dynaddr");
-	if (path != 0 && (fd = open(path, O_WRONLY)) >= 0) {
+	if (path != 0 && (fd = open(path, O_WRONLY | O_CLOEXEC)) >= 0) {
 	    if (write(fd, "1", 1) != 1)
 		error("Couldn't enable dynamic IP addressing: %m");
 	    close(fd);
@@ -3534,7 +3534,7 @@
     /*
      * Try the unix98 way first.
      */
-    mfd = open("/dev/ptmx", O_RDWR);
+    mfd = open("/dev/ptmx", O_RDWR | O_CLOEXEC);
     if (mfd >= 0) {
 	int ptn;
 	if (ioctl(mfd, TIOCGPTN, &ptn) >= 0) {
@@ -3545,7 +3545,8 @@
 	    if (ioctl(mfd, TIOCSPTLCK, &ptn) < 0)
 		warn("Couldn't unlock pty slave %s: %m", pty_name);
 #endif
-	    if ((sfd = open(pty_name, O_RDWR | O_NOCTTY)) < 0)
+
+	    if ((sfd = open(pty_name, O_RDWR | O_NOCTTY | O_CLOEXEC)) < 0)
 	    {
 		warn("Couldn't open pty slave %s: %m", pty_name);
 		close(mfd);
@@ -3559,10 +3560,10 @@
 	for (i = 0; i < 64; ++i) {
 	    slprintf(pty_name, sizeof(pty_name), "/dev/pty%c%x",
 		     'p' + i / 16, i % 16);
-	    mfd = open(pty_name, O_RDWR, 0);
+	    mfd = open(pty_name, O_RDWR | O_CLOEXEC, 0);
 	    if (mfd >= 0) {
 		pty_name[5] = 't';
-		sfd = open(pty_name, O_RDWR | O_NOCTTY, 0);
+		sfd = open(pty_name, O_RDWR | O_NOCTTY | O_CLOEXEC, 0);
 		if (sfd >= 0) {
 		    ret = fchown(sfd, uid, -1);
 		    if (ret != 0) {
diff -Naur pppd.orig/tdb.c pppd/tdb.c
--- pppd.orig/tdb.c	2021-07-23 06:41:07.000000000 +0200
+++ pppd/tdb.c	2023-06-30 13:12:55.034900600 +0200
@@ -1728,7 +1728,7 @@
 		goto internal;
 	}
 
-	if ((tdb->fd = open(name, open_flags, mode)) == -1) {
+	if ((tdb->fd = open(name, open_flags | O_CLOEXEC, mode)) == -1) {
 		TDB_LOG((tdb, 5, "tdb_open_ex: could not open file %s: %s\n",
 			 name, strerror(errno)));
 		goto fail;	/* errno set by open(2) */
@@ -1971,7 +1971,7 @@
 	}
 	if (close(tdb->fd) != 0)
 		TDB_LOG((tdb, 0, "tdb_reopen: WARNING closing tdb->fd failed!\n"));
-	tdb->fd = open(tdb->name, tdb->open_flags & ~(O_CREAT|O_TRUNC), 0);
+	tdb->fd = open(tdb->name, (tdb->open_flags & ~(O_CREAT|O_TRUNC)) | O_CLOEXEC, 0);
 	if (tdb->fd == -1) {
 		TDB_LOG((tdb, 0, "tdb_reopen: open failed (%s)\n", strerror(errno)));
 		goto fail;
diff -Naur pppd.orig/tty.c pppd/tty.c
--- pppd.orig/tty.c	2023-03-25 05:38:30.000000000 +0100
+++ pppd/tty.c	2023-06-30 13:14:06.450418113 +0200
@@ -621,7 +621,7 @@
 				ppp_set_status(EXIT_OPEN_FAILED);
 				goto errret;
 			}
-			real_ttyfd = open(devnam, O_NONBLOCK | O_RDWR, 0);
+			real_ttyfd = open(devnam, O_NONBLOCK | O_RDWR | O_CLOEXEC, 0);
 			err = errno;
 			if (prio < OPRIO_ROOT && seteuid(0) == -1)
 				fatal("Unable to regain privileges");
@@ -775,7 +775,7 @@
 	if (connector == NULL && modem && devnam[0] != 0) {
 		int i;
 		for (;;) {
-			if ((i = open(devnam, O_RDWR)) >= 0)
+			if ((i = open(devnam, O_RDWR | O_CLOEXEC)) >= 0)
 				break;
 			if (errno != EINTR) {
 				error("Failed to reopen %s: %m", devnam);
diff -Naur pppd.orig/utils.c pppd/utils.c
--- pppd.orig/utils.c	2022-12-30 02:12:39.000000000 +0100
+++ pppd/utils.c	2023-06-30 13:15:47.860182369 +0200
@@ -843,14 +843,14 @@
     slprintf(lock_file, sizeof(lock_file), "%s/LCK..%s", PPP_PATH_LOCKDIR, dev);
 #endif
 
-    while ((fd = open(lock_file, O_EXCL | O_CREAT | O_RDWR, 0644)) < 0) {
+    while ((fd = open(lock_file, O_EXCL | O_CREAT | O_RDWR | O_CLOEXEC, 0644)) < 0) {
 	if (errno != EEXIST) {
 	    error("Can't create lock file %s: %m", lock_file);
 	    break;
 	}
 
 	/* Read the lock file to find out who has the device locked. */
-	fd = open(lock_file, O_RDONLY, 0);
+	fd = open(lock_file, O_RDONLY | O_CLOEXEC, 0);
 	if (fd < 0) {
 	    if (errno == ENOENT) /* This is just a timing problem. */
 		continue;
@@ -933,7 +933,7 @@
 
     if (lock_file[0] == 0)
 	return -1;
-    fd = open(lock_file, O_WRONLY, 0);
+    fd = open(lock_file, O_WRONLY | O_CLOEXEC, 0);
     if (fd < 0) {
 	error("Couldn't reopen lock file %s: %m", lock_file);
 	lock_file[0] = 0;