--- nut-2.7.4/common/parseconf.c.cloexec	2018-12-07 15:56:22.989381441 -0800
+++ nut-2.7.4/common/parseconf.c	2018-12-07 16:48:33.912337591 -0800
@@ -83,6 +83,7 @@
 #include <stdlib.h>
 #include <string.h>	
 #include <unistd.h>
+#include <fcntl.h>
 
 #include "parseconf.h"
 
@@ -443,6 +444,9 @@
 		return 0;
 	}
 
+	/* prevent fd leaking to child processes */
+	fcntl(fileno(ctx->f), F_SETFD, FD_CLOEXEC);
+
 	return 1;	/* OK */
 }
 
--- nut-2.7.4/clients/upsmon.c.cloexec	2018-12-07 16:22:42.185376803 -0800
+++ nut-2.7.4/clients/upsmon.c	2018-12-07 17:18:44.662093479 -0800
@@ -24,6 +24,8 @@
 #include <sys/stat.h>
 #include <sys/wait.h>
 #include <sys/socket.h>
+#include <unistd.h>
+#include <fcntl.h>
 
 #include "upsclient.h"
 #include "upsmon.h"
@@ -1432,6 +1434,9 @@
 	/* we're definitely connected now */
 	setflag(&ups->status, ST_CONNECTED);
 
+	/* prevent connection leaking to NOTIFYCMD */
+	fcntl(upscli_fd(&ups->conn), F_SETFD, FD_CLOEXEC);
+
 	/* now try to authenticate to upsd */
 
 	ret = do_upsd_auth(ups);
@@ -1715,6 +1720,9 @@
 	}
 
 	close(pipefd[0]);
+
+	/* prevent pipe leaking to NOTIFYCMD */
+	fcntl(pipefd[1], F_SETFD, FD_CLOEXEC);
 }
 
 static void delete_ups(utype_t *target)
--- nut-2.7.4/clients/upssched.c.cloexec	2018-12-07 17:09:13.081914570 -0800
+++ nut-2.7.4/clients/upssched.c	2018-12-07 18:28:54.380512191 -0800
@@ -46,6 +46,8 @@
 #include <sys/socket.h>
 #include <sys/un.h>
 #include <netinet/in.h>
+#include <unistd.h>
+#include <fcntl.h>
 
 #include "upssched.h"
 #include "timehead.h"
@@ -297,6 +299,9 @@
 	if (ret < 0)
 		fatal_with_errno(EXIT_FAILURE, "listen(%d, %d) failed", fd, US_LISTEN_BACKLOG);
 
+	/* don't leak socket to CMDSCRIPT */
+	fcntl(fd, F_SETFD, FD_CLOEXEC);
+
 	return fd;
 }
 
@@ -370,6 +375,9 @@
 		return;
 	}
 
+	/* don't leak connection to CMDSCRIPT */
+	fcntl(acc, F_SETFD, FD_CLOEXEC);
+
 	/* enable nonblocking I/O */
 
 	ret = fcntl(acc, F_GETFL, 0);