It is desirable to set CLOEXEC on opened files, sockets or logs, so that processes forked by modules such as PHP do not have access to these fds. See bug 82142 for further discussion.