diff --git a/client/config/dfcache.go b/client/config/dfcache.go
index a4f92c863e3..2e30722c84a 100644
--- a/client/config/dfcache.go
+++ b/client/config/dfcache.go
@@ -212,7 +212,7 @@ func (cfg *CacheOption) checkOutput() error {
 	}
 
 	outputDir, _ := path.Split(cfg.Output)
-	if err := MkdirAll(outputDir, 0777, os.Getuid(), os.Getgid()); err != nil {
+	if err := MkdirAll(outputDir, 0700, os.Getuid(), os.Getgid()); err != nil {
 		return err
 	}
 
diff --git a/client/config/dfget.go b/client/config/dfget.go
index 094a13f778e..67ab0becadd 100644
--- a/client/config/dfget.go
+++ b/client/config/dfget.go
@@ -231,7 +231,7 @@ func (cfg *ClientOption) checkOutput() error {
 		return fmt.Errorf("path[%s] is not absolute path", cfg.Output)
 	}
 	outputDir, _ := path.Split(cfg.Output)
-	if err := MkdirAll(outputDir, 0777, os.Getuid(), os.Getgid()); err != nil {
+	if err := MkdirAll(outputDir, 0700, os.Getuid(), os.Getgid()); err != nil {
 		return err
 	}
 
diff --git a/client/config/dfget_test.go b/client/config/dfget_test.go
index cba2ca0ee54..34885e5aaa6 100644
--- a/client/config/dfget_test.go
+++ b/client/config/dfget_test.go
@@ -27,7 +27,7 @@ import (
 
 func TestMkdirAllRoot(t *testing.T) {
 	assert := testifyassert.New(t)
-	err := MkdirAll("/", 0777, os.Getuid(), os.Getgid())
+	err := MkdirAll("/", 0700, os.Getuid(), os.Getgid())
 	assert.Nil(err, "mkdir should not return error")
 }
 
@@ -114,13 +114,13 @@ func TestMkdirAll(t *testing.T) {
 			if !ok {
 				return
 			}
-			assert.Nil(os.MkdirAll(tc.parent, 0777))
+			assert.Nil(os.MkdirAll(tc.parent, 0700))
 			defer func() {
 				// remove parent directory
 				assert.Nil(os.RemoveAll(tc.parent))
 			}()
 
-			err := MkdirAll(tc.dir, 0777, tc.uid, tc.gid)
+			err := MkdirAll(tc.dir, 0700, tc.uid, tc.gid)
 			assert.Nil(err, "mkdir should not return error")
 
 			// check new directories' permission
diff --git a/client/config/peerhost_test.go b/client/config/peerhost_test.go
index e184438e181..0a1a78ca5e7 100644
--- a/client/config/peerhost_test.go
+++ b/client/config/peerhost_test.go
@@ -249,7 +249,7 @@ func TestPeerHostOption_Load(t *testing.T) {
 		},
 		Metrics:      ":8000",
 		WorkHome:     "/tmp/dragonfly/dfdaemon/",
-		WorkHomeMode: 0755,
+		WorkHomeMode: 0700,
 		CacheDir:     "/var/cache/dragonfly/",
 		CacheDirMode: 0700,
 		LogDir:       "/var/log/dragonfly/",
diff --git a/client/config/testdata/config/daemon.yaml b/client/config/testdata/config/daemon.yaml
index 9ad880b7021..4537fc021c2 100644
--- a/client/config/testdata/config/daemon.yaml
+++ b/client/config/testdata/config/daemon.yaml
@@ -7,7 +7,7 @@ metrics: ":8000"
 aliveTime: 0s
 gcInterval: 1m0s
 workHome: /tmp/dragonfly/dfdaemon/
-workHomeMode: 0755
+workHomeMode: 0700
 cacheDir: /var/cache/dragonfly/
 cacheDirMode: 0700
 logDir: /var/log/dragonfly/
diff --git a/client/daemon/peer/peertask_manager_test.go b/client/daemon/peer/peertask_manager_test.go
index 783f4419c28..ad4825b8f9a 100644
--- a/client/daemon/peer/peertask_manager_test.go
+++ b/client/daemon/peer/peertask_manager_test.go
@@ -269,7 +269,7 @@ func setupPeerTaskManagerComponents(ctrl *gomock.Controller, opt componentsOptio
 			TaskExpireTime: util.Duration{
 				Duration: -1 * time.Second,
 			},
-		}, func(request storage.CommonTaskRequest) {}, os.FileMode(0755))
+		}, func(request storage.CommonTaskRequest) {}, os.FileMode(0700))
 	return sched, storageManager
 }
 
diff --git a/client/daemon/peer/peertask_stream_backsource_partial_test.go b/client/daemon/peer/peertask_stream_backsource_partial_test.go
index 817f82c7031..a62359e561a 100644
--- a/client/daemon/peer/peertask_stream_backsource_partial_test.go
+++ b/client/daemon/peer/peertask_stream_backsource_partial_test.go
@@ -225,7 +225,7 @@ func setupBackSourcePartialComponents(ctrl *gomock.Controller, testBytes []byte,
 			TaskExpireTime: util.Duration{
 				Duration: -1 * time.Second,
 			},
-		}, func(request storage.CommonTaskRequest) {}, os.FileMode(0755))
+		}, func(request storage.CommonTaskRequest) {}, os.FileMode(0700))
 	return sched, storageManager
 }
 
diff --git a/client/daemon/peer/peertask_stream_resume_test.go b/client/daemon/peer/peertask_stream_resume_test.go
index 4d613dfc342..ebd99ab0048 100644
--- a/client/daemon/peer/peertask_stream_resume_test.go
+++ b/client/daemon/peer/peertask_stream_resume_test.go
@@ -91,7 +91,7 @@ func setupResumeStreamTaskComponents(ctrl *gomock.Controller, opt componentsOpti
 				Duration: -1 * time.Second,
 			},
 		}, func(request storage.CommonTaskRequest) {},
-		os.FileMode(0755))
+		os.FileMode(0700))
 	return sched, storageManager
 }
 
diff --git a/client/daemon/peer/piece_manager_test.go b/client/daemon/peer/piece_manager_test.go
index 79cf7996ecb..8cf36356fc9 100644
--- a/client/daemon/peer/piece_manager_test.go
+++ b/client/daemon/peer/piece_manager_test.go
@@ -75,7 +75,7 @@ func TestPieceManager_DownloadSource(t *testing.T) {
 			TaskExpireTime: clientutil.Duration{
 				Duration: -1 * time.Second,
 			},
-		}, func(request storage.CommonTaskRequest) {}, os.FileMode(0755))
+		}, func(request storage.CommonTaskRequest) {}, os.FileMode(0700))
 
 	hash := md5.New()
 	hash.Write(testBytes)
diff --git a/client/daemon/peer/traffic_shaper_test.go b/client/daemon/peer/traffic_shaper_test.go
index 1c2985f6628..d90512e33cc 100644
--- a/client/daemon/peer/traffic_shaper_test.go
+++ b/client/daemon/peer/traffic_shaper_test.go
@@ -231,7 +231,7 @@ func trafficShaperSetupPeerTaskManagerComponents(ctrl *gomock.Controller, opt tr
 			TaskExpireTime: util.Duration{
 				Duration: -1 * time.Second,
 			},
-		}, func(request storage.CommonTaskRequest) {}, os.FileMode(0755))
+		}, func(request storage.CommonTaskRequest) {}, os.FileMode(0700))
 	return sched, storageManager
 }
 
diff --git a/client/daemon/rpcserver/rpcserver.go b/client/daemon/rpcserver/rpcserver.go
index 5f2d9e164db..5e58a023708 100644
--- a/client/daemon/rpcserver/rpcserver.go
+++ b/client/daemon/rpcserver/rpcserver.go
@@ -1082,7 +1082,7 @@ func checkOutput(output string) error {
 		return fmt.Errorf("path[%s] is not absolute path", output)
 	}
 	outputDir, _ := path.Split(output)
-	if err := config.MkdirAll(outputDir, 0777, os.Getuid(), os.Getgid()); err != nil {
+	if err := config.MkdirAll(outputDir, 0700, os.Getuid(), os.Getgid()); err != nil {
 		return err
 	}
 
diff --git a/client/daemon/storage/const.go b/client/daemon/storage/const.go
index 874219acddb..a834aa3c7e7 100644
--- a/client/daemon/storage/const.go
+++ b/client/daemon/storage/const.go
@@ -26,7 +26,7 @@ const (
 	taskMetadata = "metadata"
 
 	defaultFileMode      = os.FileMode(0644)
-	defaultDirectoryMode = os.FileMode(0755) // used unless overridden in config
+	defaultDirectoryMode = os.FileMode(0700) // used unless overridden in config
 )
 
 var (
diff --git a/cmd/dependency/doc_cmd.go b/cmd/dependency/doc_cmd.go
index 569b38c17da..70cc05745a1 100644
--- a/cmd/dependency/doc_cmd.go
+++ b/cmd/dependency/doc_cmd.go
@@ -59,7 +59,7 @@ func (g *genDocCommand) bindFlags() {
 }
 
 func (g *genDocCommand) runDoc() error {
-	_ = os.MkdirAll(g.path, fs.FileMode(0755))
+	_ = os.MkdirAll(g.path, fs.FileMode(0700))
 	file, err := os.Stat(g.path)
 	if err != nil {
 		return err
diff --git a/internal/dflog/loginit.go b/internal/dflog/loginit.go
index 7881a8dd911..7105f7c377f 100644
--- a/internal/dflog/loginit.go
+++ b/internal/dflog/loginit.go
@@ -205,7 +205,7 @@ func createConsoleLogger(verbose bool) error {
 func createFileLogger(verbose bool, meta []logInitMeta, logDir string) error {
 	levels = nil
 	// create parent dir first
-	_ = os.MkdirAll(logDir, fs.FileMode(0755))
+	_ = os.MkdirAll(logDir, fs.FileMode(0700))
 
 	for _, m := range meta {
 		log, level, err := CreateLogger(path.Join(logDir, m.fileName), false, false, verbose)
diff --git a/pkg/cache/cache.go b/pkg/cache/cache.go
index b69182498b7..bbbb4fb61b5 100644
--- a/pkg/cache/cache.go
+++ b/pkg/cache/cache.go
@@ -20,6 +20,7 @@ import (
 	"encoding/gob"
 	"fmt"
 	"io"
+	"io/fs"
 	"os"
 	"path/filepath"
 	"runtime"
@@ -290,7 +291,7 @@ func (c *cache) Save(w io.Writer) (err error) {
 // documentation for NewFrom().)
 func (c *cache) SaveFile(fname string) error {
 	dir := filepath.Dir(fname)
-	if err := os.MkdirAll(dir, os.ModePerm); err != nil {
+	if err := os.MkdirAll(dir, fs.FileMode(0700)); err != nil {
 		return err
 	}
 
diff --git a/pkg/dfpath/dfpath.go b/pkg/dfpath/dfpath.go
index 24380d9a47d..b3ab4f11d20 100644
--- a/pkg/dfpath/dfpath.go
+++ b/pkg/dfpath/dfpath.go
@@ -160,17 +160,17 @@ func New(options ...Option) (Dfpath, error) {
 		}
 
 		// Create log directory.
-		if err := os.MkdirAll(d.logDir, fs.FileMode(0755)); err != nil {
+		if err := os.MkdirAll(d.logDir, fs.FileMode(0700)); err != nil {
 			cache.err = multierror.Append(cache.err, err)
 		}
 
 		// Create plugin directory.
-		if err := os.MkdirAll(d.pluginDir, fs.FileMode(0755)); err != nil {
+		if err := os.MkdirAll(d.pluginDir, fs.FileMode(0700)); err != nil {
 			cache.err = multierror.Append(cache.err, err)
 		}
 
 		// Create unix socket directory.
-		if err := os.MkdirAll(path.Dir(d.daemonSockPath), fs.FileMode(0755)); err != nil {
+		if err := os.MkdirAll(path.Dir(d.daemonSockPath), fs.FileMode(0700)); err != nil {
 			cache.err = multierror.Append(cache.err, err)
 		}
 
diff --git a/pkg/dfpath/dfpath_darwin.go b/pkg/dfpath/dfpath_darwin.go
index ff1549fa707..f5faa2b0041 100644
--- a/pkg/dfpath/dfpath_darwin.go
+++ b/pkg/dfpath/dfpath_darwin.go
@@ -26,12 +26,12 @@ import (
 )
 
 var DefaultWorkHome = filepath.Join(user.HomeDir(), ".dragonfly")
-var DefaultWorkHomeMode = os.FileMode(0755)
+var DefaultWorkHomeMode = os.FileMode(0700)
 var DefaultCacheDir = filepath.Join(DefaultWorkHome, "cache")
-var DefaultCacheDirMode = os.FileMode(0755)
+var DefaultCacheDirMode = os.FileMode(0700)
 var DefaultConfigDir = filepath.Join(DefaultWorkHome, "config")
 var DefaultLogDir = filepath.Join(DefaultWorkHome, "logs")
 var DefaultDataDir = filepath.Join(DefaultWorkHome, "data")
-var DefaultDataDirMode = os.FileMode(0755)
+var DefaultDataDirMode = os.FileMode(0700)
 var DefaultPluginDir = filepath.Join(DefaultWorkHome, "plugins")
 var DefaultDownloadUnixSocketPath = filepath.Join(DefaultWorkHome, "dfdaemon.sock")
diff --git a/pkg/dfpath/dfpath_linux.go b/pkg/dfpath/dfpath_linux.go
index 11a5935dc17..f85bfa6621b 100644
--- a/pkg/dfpath/dfpath_linux.go
+++ b/pkg/dfpath/dfpath_linux.go
@@ -21,12 +21,12 @@ package dfpath
 import "os"
 
 var DefaultWorkHome = "/usr/local/dragonfly"
-var DefaultWorkHomeMode = os.FileMode(0755)
+var DefaultWorkHomeMode = os.FileMode(0700)
 var DefaultCacheDir = "/var/cache/dragonfly"
-var DefaultCacheDirMode = os.FileMode(0755)
+var DefaultCacheDirMode = os.FileMode(0700)
 var DefaultConfigDir = "/etc/dragonfly"
 var DefaultLogDir = "/var/log/dragonfly"
 var DefaultDataDir = "/var/lib/dragonfly"
-var DefaultDataDirMode = os.FileMode(0755)
+var DefaultDataDirMode = os.FileMode(0700)
 var DefaultPluginDir = "/usr/local/dragonfly/plugins"
 var DefaultDownloadUnixSocketPath = "/var/run/dfdaemon.sock"
diff --git a/trainer/storage/storage_test.go b/trainer/storage/storage_test.go
index 3d798cb4cb5..2c298c87dd1 100644
--- a/trainer/storage/storage_test.go
+++ b/trainer/storage/storage_test.go
@@ -498,7 +498,7 @@ func TestStorage_Clear(t *testing.T) {
 			baseDir: os.TempDir(),
 			mock: func(t *testing.T, s Storage, baseDir string) {
 				s.(*storage).baseDir = filepath.Join(baseDir, "bae")
-				if err := os.MkdirAll(s.(*storage).baseDir, os.ModePerm); err != nil {
+				if err := os.MkdirAll(s.(*storage).baseDir, fs.FileMode(0700)); err != nil {
 					t.Fatal(err)
 				}