diff --git a/etc/profile.d/30_security-misc-umask.sh b/etc/profile.d/30_security-misc-umask.sh
new file mode 100644
index 00000000..a007de79
--- /dev/null
+++ b/etc/profile.d/30_security-misc-umask.sh
@@ -0,0 +1,6 @@
+if [ "$(id -u)" -eq 0 ]
+then
+    umask 077
+else
+    umask 022
+fi
diff --git a/usr/share/pam-configs/mkhomedir-security-misc b/usr/share/pam-configs/mkhomedir-security-misc
index 326013c0..b246ea03 100644
--- a/usr/share/pam-configs/mkhomedir-security-misc
+++ b/usr/share/pam-configs/mkhomedir-security-misc
@@ -4,4 +4,4 @@ Priority: 100
 Session-Type: Additional
 Session-Interactive-Only: yes
 Session:
-	optional	pam_mkhomedir.so umask=027
+	optional	pam_mkhomedir.so umask=0077
diff --git a/usr/share/pam-configs/umask-security-misc b/usr/share/pam-configs/umask-security-misc
new file mode 100644
index 00000000..70e6d140
--- /dev/null
+++ b/usr/share/pam-configs/umask-security-misc
@@ -0,0 +1,8 @@
+Name: Restrict umask to 0077 (by package security-misc)
+Default: yes
+Priority: 100
+Session-Type: Additional
+Session-Interactive-Only: yes
+Session:
+	[success=1 default=ignore]	pam_succeed_if.so uid eq 0
+	optional	pam_umask.so umask=0077