diff --git a/repo/fsrepo/serialize/serialize.go b/repo/fsrepo/serialize/serialize.go
index 864eb4fc1..af8686087 100644
--- a/repo/fsrepo/serialize/serialize.go
+++ b/repo/fsrepo/serialize/serialize.go
@@ -35,7 +35,7 @@ func WriteConfigFile(filename string, cfg interface{}) error {
 		return err
 	}
 
-	f, err := atomicfile.New(filename, 0775)
+	f, err := atomicfile.New(filename, 0660)
 	if err != nil {
 		return err
 	}
diff --git a/repo/fsrepo/serialize/serialize_test.go b/repo/fsrepo/serialize/serialize_test.go
index 5de9674af..9a2ae0cb8 100644
--- a/repo/fsrepo/serialize/serialize_test.go
+++ b/repo/fsrepo/serialize/serialize_test.go
@@ -1,6 +1,7 @@
 package fsrepo
 
 import (
+	"os"
 	"testing"
 
 	config "github.com/jbenet/go-ipfs/repo/config"
@@ -23,4 +24,11 @@ func TestConfig(t *testing.T) {
 	if cfgWritten.Datastore.Path != cfgRead.Datastore.Path {
 		t.Fail()
 	}
+	st, err := os.Stat(filename)
+	if err != nil {
+		t.Fatalf("cannot stat config file: %v", err)
+	}
+	if g := st.Mode().Perm(); g&0117 != 0 {
+		t.Errorf("config file should not be executable or accessible to world: %v", g)
+	}
 }