diff --git a/warpgate-common/src/helpers/fs.rs b/warpgate-common/src/helpers/fs.rs
index e4d5ca1..99f5dac 100644
--- a/warpgate-common/src/helpers/fs.rs
+++ b/warpgate-common/src/helpers/fs.rs
@@ -1,10 +1,21 @@
 use std::os::unix::prelude::PermissionsExt;
 use std::path::Path;
 
+fn maybe_apply_permissions<P: AsRef<Path>>(
+    path: P,
+    permissions: std::fs::Permissions,
+) -> std::io::Result<()> {
+    let current = std::fs::metadata(&path)?.permissions();
+    if current != permissions {
+        std::fs::set_permissions(path, permissions)?;
+    }
+    Ok(())
+}
+
 pub fn secure_directory<P: AsRef<Path>>(path: P) -> std::io::Result<()> {
-    std::fs::set_permissions(path.as_ref(), std::fs::Permissions::from_mode(0o700))
+    maybe_apply_permissions(path.as_ref(), std::fs::Permissions::from_mode(0o700))
 }
 
 pub fn secure_file<P: AsRef<Path>>(path: P) -> std::io::Result<()> {
-    std::fs::set_permissions(path.as_ref(), std::fs::Permissions::from_mode(0o600))
+    maybe_apply_permissions(path.as_ref(), std::fs::Permissions::from_mode(0o600))
 }