diff --git a/CHANGELOG b/CHANGELOG
index 49620d5..bf5195d 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -51,6 +51,7 @@
 - check for buffer overflow in mount_afs.c.
 - update master map tokenizer to admit "slasify-colons" option (Capelle Bonoit).
 - update location validation to accept "_" (Fabio Olive Leite).
+- set close-on-exec flag on open sockets.
 
 1/9/2006 autofs-5.0.1 rc2
 -------------------------
diff --git a/lib/rpc_subs.c b/lib/rpc_subs.c
index 4982457..b4e9c91 100644
--- a/lib/rpc_subs.c
+++ b/lib/rpc_subs.c
@@ -51,7 +51,7 @@ static char *ypdomain = NULL;
  */
 static CLIENT *create_udp_client(struct conn_info *info)
 {
-	int fd, ret, ghn_errno;
+	int fd, cl_flags, ret, ghn_errno;
 	CLIENT *client;
 	struct sockaddr_in laddr, raddr;
 	struct hostent hp;
@@ -105,6 +105,12 @@ got_addr:
 		fd = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP);
 		if (fd < 0)
 			return NULL;
+
+		if ((cl_flags = fcntl(fd, F_GETFD, 0)) != -1) {
+			cl_flags |= FD_CLOEXEC;
+			fcntl(fd, F_SETFD, cl_flags);
+		}
+
 		laddr.sin_family = AF_INET;
 		laddr.sin_port = 0;
 		laddr.sin_addr.s_addr = htonl(INADDR_ANY);
@@ -255,7 +261,7 @@ done:
  */
 static CLIENT *create_tcp_client(struct conn_info *info)
 {
-	int fd, ghn_errno;
+	int fd, cl_flags, ghn_errno;
 	CLIENT *client;
 	struct sockaddr_in addr;
 	struct hostent hp;
@@ -304,6 +310,11 @@ got_addr:
 		if (fd < 0)
 			return NULL;
 
+		if ((cl_flags = fcntl(fd, F_GETFD, 0)) != -1) {
+			cl_flags |= FD_CLOEXEC;
+			fcntl(fd, F_SETFD, cl_flags);
+		}
+
 		ret = connect_nb(fd, &addr, &info->timeout);
 		if (ret < 0)
 			goto out_close;
@@ -749,7 +760,7 @@ static int masked_match(const char *addr
 	struct sockaddr_in6 saddr6;
 	struct ifconf ifc;
 	struct ifreq *ifr;
-	int sock, ret, i, is_ipv4, is_ipv6;
+	int sock, cl_flags, ret, i, is_ipv4, is_ipv6;
 	unsigned int msize;
 
 	sock = socket(AF_INET, SOCK_DGRAM, 0);
@@ -759,6 +770,11 @@ static int masked_match(const char *addr
 		return 0;
 	}
 
+	if ((cl_flags = fcntl(sock, F_GETFD, 0)) != -1) {
+		cl_flags |= FD_CLOEXEC;
+		fcntl(sock, F_SETFD, cl_flags);
+	}
+
 	ifc.ifc_len = sizeof(buf);
 	ifc.ifc_req = (struct ifreq *) buf;
 	ret = ioctl(sock, SIOCGIFCONF, &ifc);
diff --git a/modules/replicated.c b/modules/replicated.c
index 5aaaba1..46ea36b 100644
--- a/modules/replicated.c
+++ b/modules/replicated.c
@@ -52,6 +52,8 @@ #include <arpa/inet.h>
 #include <net/if.h>
 #include <netinet/in.h>
 #include <netdb.h>
+#include <unistd.h>
+#include <fcntl.h>
 
 #include "rpc_subs.h"
 #include "replicated.h"
@@ -79,7 +81,7 @@ static unsigned int get_proximity(const 
 	char tmp[20], buf[MAX_ERR_BUF], *ptr;
 	struct ifconf ifc;
 	struct ifreq *ifr, nmptr;
-	int sock, ret, i;
+	int sock, cl_flags, ret, i;
 	uint32_t mask, ha, ia;
 
 	memcpy(tmp, host_addr, addr_len);
@@ -94,6 +96,11 @@ static unsigned int get_proximity(const 
 		return PROXIMITY_ERROR;
 	}
 
+	if ((cl_flags = fcntl(sock, F_GETFD, 0)) != -1) {
+		cl_flags |= FD_CLOEXEC;
+		fcntl(sock, F_SETFD, cl_flags);
+	}
+
 	ifc.ifc_len = sizeof(buf);
 	ifc.ifc_req = (struct ifreq *) buf;
 	ret = ioctl(sock, SIOCGIFCONF, &ifc);