Short-lived opens of sensitive files

A sensitive file is a file, such as the shadow password file that contains information that could compromise system security. When sensitive files are opened for reading or writing, they should be kept open only as long as necessary.

The close-on-exec attribute of the file descriptor should be set using the fcntl system call. This prevents unauthorized processes from inheriting open file descriptors via the exec system call.