diff --git a/libcontainer/console_linux.go b/libcontainer/console_linux.go
index d2b9cf59438..e506853e45a 100644
--- a/libcontainer/console_linux.go
+++ b/libcontainer/console_linux.go
@@ -9,13 +9,15 @@ import (
 // mount initializes the console inside the rootfs mounting with the specified mount label
 // and applying the correct ownership of the console.
 func mountConsole(slavePath string) error {
-	oldMask := unix.Umask(0o000)
-	defer unix.Umask(oldMask)
 	f, err := os.Create("/dev/console")
 	if err != nil && !os.IsExist(err) {
 		return err
 	}
 	if f != nil {
+		// Ensure permission bits (can be different because of umask).
+		if err := f.Chmod(0o666); err != nil {
+			return err
+		}
 		f.Close()
 	}
 	return mount(slavePath, "/dev/console", "bind", unix.MS_BIND, "")
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
index ae5d4fb46b4..d1a7b6055f8 100644
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -413,12 +413,13 @@ func (c *Container) createExecFifo() error {
 	if _, err := os.Stat(fifoName); err == nil {
 		return fmt.Errorf("exec fifo %s already exists", fifoName)
 	}
-	oldMask := unix.Umask(0o000)
 	if err := unix.Mkfifo(fifoName, 0o622); err != nil {
-		unix.Umask(oldMask)
+		return &os.PathError{Op: "mkfifo", Path: fifoName, Err: err}
+	}
+	// Ensure permission bits (can be different because of umask).
+	if err := os.Chmod(fifoName, 0o622); err != nil {
 		return err
 	}
-	unix.Umask(oldMask)
 	return os.Chown(fifoName, rootuid, rootgid)
 }
 
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
index 88ecb287c11..3145299d33d 100644
--- a/libcontainer/rootfs_linux.go
+++ b/libcontainer/rootfs_linux.go
@@ -704,7 +704,6 @@ func reOpenDevNull() error {
 // Create the device nodes in the container.
 func createDevices(config *configs.Config) error {
 	useBindMount := userns.RunningInUserNS() || config.Namespaces.Contains(configs.NEWUSER)
-	oldMask := unix.Umask(0o000)
 	for _, node := range config.Devices {
 
 		// The /dev/ptmx device is setup by setupPtmx()
@@ -715,11 +714,9 @@ func createDevices(config *configs.Config) error {
 		// containers running in a user namespace are not allowed to mknod
 		// devices so we can just bind mount it from the host.
 		if err := createDeviceNode(config.Rootfs, node, useBindMount); err != nil {
-			unix.Umask(oldMask)
 			return err
 		}
 	}
-	unix.Umask(oldMask)
 	return nil
 }
 
@@ -782,6 +779,10 @@ func mknodDevice(dest string, node *devices.Device) error {
 	if err := unix.Mknod(dest, uint32(fileMode), int(dev)); err != nil {
 		return &os.PathError{Op: "mknod", Path: dest, Err: err}
 	}
+	// Ensure permission bits (can be different because of umask).
+	if err := os.Chmod(dest, fileMode); err != nil {
+		return err
+	}
 	return os.Chown(dest, int(node.Uid), int(node.Gid))
 }