diff --git a/src/child.c b/src/child.c
index d68952c..bcb480d 100644
--- a/src/child.c
+++ b/src/child.c
@@ -73,6 +73,11 @@ _child_lock_init(void)
 {
 	char lock_file[] = "/tmp/tinyproxy.servers.lock.XXXXXX";
 
+        /* Only allow u+rw bits. This may be required for some versions
+         * of glibc so that mkstemp() doesn't make us vulnerable.
+         */
+        umask(0177);
+
 	lock_fd = mkstemp(lock_file);
 	unlink(lock_file);
 
diff --git a/src/daemon.c b/src/daemon.c
index b086a50..a6419ba 100644
--- a/src/daemon.c
+++ b/src/daemon.c
@@ -38,7 +38,7 @@ makedaemon(void)
 		exit(0);
 
 	chdir("/");
-	umask(077);
+	umask(0177);
 
 #if NDEBUG
         /*
diff --git a/src/heap.c b/src/heap.c
index be91d76..c92ddaf 100644
--- a/src/heap.c
+++ b/src/heap.c
@@ -114,6 +114,11 @@ malloc_shared_memory(size_t size)
 
 	strlcpy(buffer, shared_file, sizeof(buffer));
 
+        /* Only allow u+rw bits. This may be required for some versions
+         * of glibc so that mkstemp() doesn't make us vulnerable.
+         */
+        umask(0177);
+
 	if ((fd = mkstemp(buffer)) == -1)
 		return (void *)MAP_FAILED;
 	unlink(buffer);
diff --git a/src/tinyproxy.c b/src/tinyproxy.c
index 76ff993..636fca7 100644
--- a/src/tinyproxy.c
+++ b/src/tinyproxy.c
@@ -165,6 +165,11 @@ main(int argc, char **argv)
 	}
 #endif				/* HAVE_SETRLIMIT */
 
+        /* Only allow u+rw bits. This may be required for some versions
+         * of glibc so that mkstemp() doesn't make us vulnerable.
+         */
+        umask(0177);
+
 	/* Default configuration file location */
 	config.config_file = DEFAULT_CONF_FILE;