diff --git a/changelog/14791.txt b/changelog/14791.txt
new file mode 100644
index 0000000000000..b9e43154877e4
--- /dev/null
+++ b/changelog/14791.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core: fixing excessive unix file permissions   
+```
diff --git a/command/agent.go b/command/agent.go
index 31a6f7336bc2f..6bafd4cb072d8 100644
--- a/command/agent.go
+++ b/command/agent.go
@@ -979,7 +979,7 @@ func (c *AgentCommand) storePidFile(pidPath string) error {
 	}
 
 	// Open the PID file
-	pidFile, err := os.OpenFile(pidPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o644)
+	pidFile, err := os.OpenFile(pidPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o600)
 	if err != nil {
 		return fmt.Errorf("could not open pid file: %w", err)
 	}
diff --git a/command/operator_raft_snapshot_save.go b/command/operator_raft_snapshot_save.go
index 825bb303a1c86..496b0a7b52c48 100644
--- a/command/operator_raft_snapshot_save.go
+++ b/command/operator_raft_snapshot_save.go
@@ -76,7 +76,7 @@ func (c *OperatorRaftSnapshotSaveCommand) Run(args []string) int {
 
 	w := &lazyOpenWriter{
 		openFunc: func() (io.WriteCloser, error) {
-			return os.OpenFile(path, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o644)
+			return os.OpenFile(path, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o600)
 		},
 	}
 
diff --git a/command/server.go b/command/server.go
index 85a846521b878..7aa211877f07b 100644
--- a/command/server.go
+++ b/command/server.go
@@ -1908,7 +1908,7 @@ func (c *ServerCommand) enableThreeNodeDevCluster(base *vault.CoreConfig, info m
 		return 1
 	}
 
-	if err := ioutil.WriteFile(filepath.Join(testCluster.TempDir, "root_token"), []byte(testCluster.RootToken), 0o755); err != nil {
+	if err := ioutil.WriteFile(filepath.Join(testCluster.TempDir, "root_token"), []byte(testCluster.RootToken), 0o600); err != nil {
 		c.UI.Error(fmt.Sprintf("Error writing token to tempfile: %s", err))
 		return 1
 	}
@@ -2140,7 +2140,7 @@ func (c *ServerCommand) storePidFile(pidPath string) error {
 	}
 
 	// Open the PID file
-	pidFile, err := os.OpenFile(pidPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o644)
+	pidFile, err := os.OpenFile(pidPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o600)
 	if err != nil {
 		return fmt.Errorf("could not open pid file: %w", err)
 	}
diff --git a/physical/raft/raft.go b/physical/raft/raft.go
index 41138dd80d079..0012fb97791fc 100644
--- a/physical/raft/raft.go
+++ b/physical/raft/raft.go
@@ -274,7 +274,7 @@ func EnsurePath(path string, dir bool) error {
 	if !dir {
 		path = filepath.Dir(path)
 	}
-	return os.MkdirAll(path, 0o755)
+	return os.MkdirAll(path, 0o700)
 }
 
 // NewRaftBackend constructs a RaftBackend using the given directory
diff --git a/physical/raft/snapshot.go b/physical/raft/snapshot.go
index 7e3f875b0f8e0..cebcdb0a4a82f 100644
--- a/physical/raft/snapshot.go
+++ b/physical/raft/snapshot.go
@@ -86,7 +86,7 @@ func NewBoltSnapshotStore(base string, logger log.Logger, fsm *FSM) (*BoltSnapsh
 
 	// Ensure our path exists
 	path := filepath.Join(base, snapPath)
-	if err := os.MkdirAll(path, 0o755); err != nil && !os.IsExist(err) {
+	if err := os.MkdirAll(path, 0o700); err != nil && !os.IsExist(err) {
 		return nil, fmt.Errorf("snapshot path not accessible: %v", err)
 	}
 
@@ -324,7 +324,7 @@ func (s *BoltSnapshotSink) writeBoltDBFile() error {
 	s.logger.Info("creating new snapshot", "path", path)
 
 	// Make the directory
-	if err := os.MkdirAll(path, 0o755); err != nil {
+	if err := os.MkdirAll(path, 0o700); err != nil {
 		s.logger.Error("failed to make snapshot directory", "error", err)
 		return err
 	}