From ea4854fda16f3d09afdde6a0392a8a367122e13d Mon Sep 17 00:00:00 2001
From: Sergei Zimmerman <sergei@zimmerman.foo>
Date: Fri, 21 Nov 2025 02:43:26 +0300
Subject: [PATCH] libutil/unix: Add O_CLOEXEC to openDirectory

As a precaution. This function might get used for some long persisted
file descriptor and we need good defaults.
---
 src/libutil/unix/file-system.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/libutil/unix/file-system.cc b/src/libutil/unix/file-system.cc
index 8ff66328b..77b83858f 100644
--- a/src/libutil/unix/file-system.cc
+++ b/src/libutil/unix/file-system.cc
@@ -16,7 +16,7 @@ namespace nix {
 
 Descriptor openDirectory(const std::filesystem::path & path)
 {
-    return open(path.c_str(), O_RDONLY | O_DIRECTORY);
+    return open(path.c_str(), O_RDONLY | O_DIRECTORY | O_CLOEXEC);
 }
 
 void setWriteTime(