diff --git a/agent/download.go b/agent/download.go
index bcd1b79ba2..722826be9e 100644
--- a/agent/download.go
+++ b/agent/download.go
@@ -24,6 +24,9 @@ const (
 	headerUserAgent = "User-Agent"
 )
 
+// Real umask set by init func in download_unix.go. 0o022 is a common default.
+var umask = os.FileMode(0o022)
+
 type DownloadConfig struct {
 	// The actual URL to get the file from
 	URL string
@@ -184,6 +187,13 @@ func (d Download) try(ctx context.Context) error {
 		return fmt.Errorf("copying data to temp file (%T: %w)", err, err)
 	}
 
+	// os.CreateTemp uses 0o600 permissions, but in the past we used os.Create
+	// which uses 0x666. Since these are set at open time, they are restricted
+	// by umask.
+	if err := temp.Chmod(0o666 &^ umask); err != nil {
+		return fmt.Errorf("setting file permissions (%T: %w)", err, err)
+	}
+
 	// close must succeed for the file to be considered properly written.
 	if err := temp.Close(); err != nil {
 		return fmt.Errorf("closing temp file (%T: %w)", err, err)
diff --git a/agent/download_unix.go b/agent/download_unix.go
new file mode 100644
index 0000000000..d351b47de3
--- /dev/null
+++ b/agent/download_unix.go
@@ -0,0 +1,15 @@
+//go:build unix
+
+package agent
+
+import (
+	"os"
+
+	"golang.org/x/sys/unix"
+)
+
+func init() {
+	// Can't read the current umask(2) without changing it.
+	umask = os.FileMode(unix.Umask(int(umask)))
+	unix.Umask(int(umask))
+}