diff --git a/src/lib/services.ts b/src/lib/services.ts
index 34ff9db24d..1dfc87c341 100644
--- a/src/lib/services.ts
+++ b/src/lib/services.ts
@@ -3,8 +3,10 @@
 
 import { execSync, spawn } from "node:child_process";
 import {
+  chmodSync,
   closeSync,
   existsSync,
+  fchmodSync,
   mkdirSync,
   openSync,
   readFileSync,
@@ -61,8 +63,9 @@ function warn(msg: string): void {
 
 function ensurePidDir(pidDir: string): void {
   if (!existsSync(pidDir)) {
-    mkdirSync(pidDir, { recursive: true });
+    mkdirSync(pidDir, { recursive: true, mode: 0o700 });
   }
+  chmodSync(pidDir, 0o700);
 }
 
 function readPid(pidDir: string, name: string): number | null {
@@ -123,7 +126,8 @@ function startService(
   // Uses child_process.spawn directly because execa's typed API
   // does not accept raw file descriptors for stdio.
   const logFile = join(pidDir, `${name}.log`);
-  const logFd = openSync(logFile, "w");
+  const logFd = openSync(logFile, "w", 0o600);
+  fchmodSync(logFd, 0o600);
   const subprocess = spawn(command, args, {
     detached: true,
     stdio: ["ignore", logFd, logFd],