diff --git a/.golangci.yml b/.golangci.yml
index de823f35625..4fc058d727b 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -69,6 +69,7 @@ linters-settings:
       - G109
       - G112
       - G114
+      - G301
       - G302
 
 run:
diff --git a/pkg/alertmanager/multitenant.go b/pkg/alertmanager/multitenant.go
index 336fb5aa36a..f575811c48b 100644
--- a/pkg/alertmanager/multitenant.go
+++ b/pkg/alertmanager/multitenant.go
@@ -325,7 +325,7 @@ type MultitenantAlertmanager struct {
 
 // NewMultitenantAlertmanager creates a new MultitenantAlertmanager.
 func NewMultitenantAlertmanager(cfg *MultitenantAlertmanagerConfig, store alertstore.AlertStore, limits Limits, features featurecontrol.Flagger, logger log.Logger, registerer prometheus.Registerer) (*MultitenantAlertmanager, error) {
-	err := os.MkdirAll(cfg.DataDir, 0777)
+	err := os.MkdirAll(cfg.DataDir, 0750)
 	if err != nil {
 		return nil, fmt.Errorf("unable to create Alertmanager data directory %q: %s", cfg.DataDir, err)
 	}
@@ -915,7 +915,7 @@ func (am *MultitenantAlertmanager) newAlertmanager(userID string, amConfig *defi
 	reg := prometheus.NewRegistry()
 
 	tenantDir := am.getTenantDirectory(userID)
-	err := os.MkdirAll(tenantDir, 0777)
+	err := os.MkdirAll(tenantDir, 0750)
 	if err != nil {
 		return nil, errors.Wrapf(err, "failed to create per-tenant directory %v", tenantDir)
 	}
@@ -1368,7 +1368,7 @@ func safeTemplateFilepath(dir, templateName string) (string, error) {
 func storeTemplateFile(templateFilepath, content string) (bool, error) {
 	// Make sure the directory exists.
 	dir := filepath.Dir(templateFilepath)
-	err := os.MkdirAll(dir, 0755)
+	err := os.MkdirAll(dir, 0750)
 	if err != nil {
 		return false, fmt.Errorf("unable to create Alertmanager templates directory %q: %s", dir, err)
 	}
diff --git a/pkg/blockbuilder/blockbuilder.go b/pkg/blockbuilder/blockbuilder.go
index 865455661be..c04ad57adb7 100644
--- a/pkg/blockbuilder/blockbuilder.go
+++ b/pkg/blockbuilder/blockbuilder.go
@@ -83,7 +83,7 @@ func (b *BlockBuilder) starting(context.Context) (err error) {
 	if err := os.RemoveAll(b.cfg.DataDir); err != nil {
 		return fmt.Errorf("removing data dir: %w", err)
 	}
-	if err := os.MkdirAll(b.cfg.DataDir, os.ModePerm); err != nil {
+	if err := os.MkdirAll(b.cfg.DataDir, 0750); err != nil {
 		return fmt.Errorf("creating data dir: %w", err)
 	}
 
diff --git a/pkg/blockbuilder/tsdb.go b/pkg/blockbuilder/tsdb.go
index ee2d610fe78..d7b9b043999 100644
--- a/pkg/blockbuilder/tsdb.go
+++ b/pkg/blockbuilder/tsdb.go
@@ -258,7 +258,7 @@ func (b *TSDBBuilder) newTSDB(tenant tsdbTenant) (*userTSDB, error) {
 	if err := os.RemoveAll(udir); err != nil {
 		return nil, err
 	}
-	if err := os.MkdirAll(udir, os.ModePerm); err != nil {
+	if err := os.MkdirAll(udir, 0750); err != nil {
 		return nil, err
 	}
 
diff --git a/pkg/mimirtool/commands/remote_read.go b/pkg/mimirtool/commands/remote_read.go
index 8d44d2604be..9dbe8d74f8a 100644
--- a/pkg/mimirtool/commands/remote_read.go
+++ b/pkg/mimirtool/commands/remote_read.go
@@ -444,7 +444,7 @@ func (c *RemoteReadCommand) export(_ *kingpin.ParseContext) error {
 		log.Infof("Created TSDB in path '%s'", c.tsdbPath)
 	} else {
 		if _, err := os.Stat(c.tsdbPath); err != nil && os.IsNotExist(err) {
-			if err = os.Mkdir(c.tsdbPath, 0755); err != nil {
+			if err = os.Mkdir(c.tsdbPath, 0750); err != nil {
 				return err
 			}
 			log.Infof("Created TSDB in path '%s'", c.tsdbPath)
@@ -483,7 +483,7 @@ func (c *RemoteReadCommand) export(_ *kingpin.ParseContext) error {
 	// ensure that tsdb directory has WAL, otherwise 'promtool tsdb dump' fails
 	walPath := filepath.Join(c.tsdbPath, "wal")
 	if _, err := os.Stat(walPath); err != nil && os.IsNotExist(err) {
-		if err := os.Mkdir(walPath, 0755); err != nil {
+		if err := os.Mkdir(walPath, 0750); err != nil {
 			return err
 		}
 	}
diff --git a/pkg/storage/tsdb/block/block.go b/pkg/storage/tsdb/block/block.go
index be8d04ee3ca..43cbc6a963d 100644
--- a/pkg/storage/tsdb/block/block.go
+++ b/pkg/storage/tsdb/block/block.go
@@ -63,7 +63,7 @@ func Download(ctx context.Context, logger log.Logger, bucket objstore.Bucket, id
 	_, err := os.Stat(chunksDir)
 	if os.IsNotExist(err) {
 		// This can happen if block is empty. We cannot easily upload empty directory, so create one here.
-		return os.Mkdir(chunksDir, os.ModePerm)
+		return os.Mkdir(chunksDir, 0750)
 	}
 	if err != nil {
 		return errors.Wrapf(err, "stat %s", chunksDir)
diff --git a/pkg/storage/tsdb/block/fetcher.go b/pkg/storage/tsdb/block/fetcher.go
index a91107badd4..1ca50ef36e9 100644
--- a/pkg/storage/tsdb/block/fetcher.go
+++ b/pkg/storage/tsdb/block/fetcher.go
@@ -160,7 +160,7 @@ func NewMetaFetcher(logger log.Logger, concurrency int, bkt objstore.Instrumente
 	cacheDir := ""
 	if dir != "" {
 		cacheDir = filepath.Join(dir, "meta-syncer")
-		if err := os.MkdirAll(cacheDir, os.ModePerm); err != nil {
+		if err := os.MkdirAll(cacheDir, 0750); err != nil {
 			return nil, err
 		}
 	}
@@ -269,7 +269,7 @@ func (f *MetaFetcher) loadMeta(ctx context.Context, id ulid.ULID) (*Meta, error)
 
 	// Best effort cache in local dir.
 	if f.cacheDir != "" {
-		if err := os.MkdirAll(cachedBlockDir, os.ModePerm); err != nil {
+		if err := os.MkdirAll(cachedBlockDir, 0750); err != nil {
 			level.Warn(f.logger).Log("msg", "best effort mkdir of the meta.json block dir failed; ignoring", "dir", cachedBlockDir, "err", err)
 		}
 
diff --git a/pkg/storegateway/indexheader/binary_reader.go b/pkg/storegateway/indexheader/binary_reader.go
index 03483a5c5ad..afd87d52ce2 100644
--- a/pkg/storegateway/indexheader/binary_reader.go
+++ b/pkg/storegateway/indexheader/binary_reader.go
@@ -249,7 +249,7 @@ func newBinaryWriter(fn string, buf []byte) (w *binaryWriter, err error) {
 
 	df, err := fileutil.OpenDir(dir)
 	if os.IsNotExist(err) {
-		if err := os.MkdirAll(dir, os.ModePerm); err != nil {
+		if err := os.MkdirAll(dir, 0750); err != nil {
 			return nil, err
 		}
 		df, err = fileutil.OpenDir(dir)
diff --git a/pkg/util/test/copy.go b/pkg/util/test/copy.go
index ea5c7c05e5c..9b743b781a0 100644
--- a/pkg/util/test/copy.go
+++ b/pkg/util/test/copy.go
@@ -32,7 +32,7 @@ func copyRecursive(src, dst string) error {
 		}
 
 		if info.IsDir() {
-			return os.MkdirAll(filepath.Join(dst, relPath), os.ModePerm)
+			return os.MkdirAll(filepath.Join(dst, relPath), 0700)
 		}
 
 		if !info.Mode().IsRegular() {
diff --git a/tools/benchmark-query-engine/main.go b/tools/benchmark-query-engine/main.go
index dfaf06a3bbc..21c734e507b 100644
--- a/tools/benchmark-query-engine/main.go
+++ b/tools/benchmark-query-engine/main.go
@@ -187,7 +187,7 @@ func (a *app) createTempDir() error {
 	slog.Info("created temporary directory", "dir", a.tempDir)
 
 	a.dataDir = filepath.Join(a.tempDir, "data")
-	if err := os.Mkdir(a.dataDir, 0777); err != nil {
+	if err := os.Mkdir(a.dataDir, 0700); err != nil {
 		return fmt.Errorf("could not create data directory '%v': %w", a.dataDir, err)
 	}