diff --git a/lib/hcrypto/rand-fortuna.c b/lib/hcrypto/rand-fortuna.c
index 306cd1795..f75ba575c 100644
--- a/lib/hcrypto/rand-fortuna.c
+++ b/lib/hcrypto/rand-fortuna.c
@@ -505,6 +505,7 @@ fortuna_reseed(void)
 	fd = open("/etc/shadow", O_RDONLY, 0);
 	if (fd >= 0) {
 	    ssize_t n;
+	    rk_cloexec(fd);
 	    /* add_entropy will hash the buf */
 	    while ((n = read(fd, (char *)u.shad, sizeof(u.shad))) > 0)
 		add_entropy(&main_state, u.shad, sizeof(u.shad));