diff --git a/v3.go b/v3.go
index 6333b81f..53e40637 100644
--- a/v3.go
+++ b/v3.go
@@ -248,8 +248,9 @@ func unixSocketListener(bindAddr string) net.Listener {
 	if err != nil {
 		logger.Fatal().Err(err).Msg("failed to serve unix socket")
 	}
-	// TODO: safe default for now (rwxr-xr-x), could be extracted as env variable if needed
-	err = os.Chmod(bindAddr, 0755)
+	// least permissions and work out of box (-w--w--w-); could be extracted as
+	// env variable if needed
+	err = os.Chmod(bindAddr, 0222)
 	if err != nil {
 		logger.Fatal().Err(err).Msg("failed to set unix socket permissions")
 	}