When you view a file with the more command and run a shell, the file descriptor
for reading the file is leaked to that process.

To test, more any file. Then do !/bin/sh. At the prompt do "ls -l /proc/$$/fd"
and you'll see the leaked fd.

From: Steve Grubb <sgrubb@redhat.com>

--- util-linux-2.13-pre7/text-utils/more.c.cloexec	2006-12-14 14:05:31.000000000 +0100
+++ util-linux-2.13-pre7/text-utils/more.c	2006-12-14 14:04:57.000000000 +0100
@@ -478,6 +478,7 @@
 	}
 	if (magic(f, fs))
 		return((FILE *)NULL);
+	fcntl(fileno(f), F_SETFD, FD_CLOEXEC );
 	c = Getc(f);
 	*clearfirst = (c == '\f');
 	Ungetc (c, f);