> This is what I'm trying to say: if this fork() and execve() is not your code, but something
from a proprietary plugin for which you have no source, you cannot control it at all.
True. But consider the converse of your argument: what if the proprietary plugin has called
open() on several files, but failed to set the O_CLOEXEC flag? When you then go to call fork()
and execve() in your own code, you might accidentally leak file descriptors to the child
without even knowing it.
That is why it would be good to also have a closefrom() system call. This function ensures
that the only descriptors inherited are stdout, stdin, and stderr.