diff --git a/util_unix.go b/util_unix.go
index 366130b..a374ad8 100644
--- a/util_unix.go
+++ b/util_unix.go
@@ -7,7 +7,17 @@ import (
 )
 
 func tempFileOnce(dir, pattern string) (*os.File, error) {
-	return os.CreateTemp(dir, pattern)
+	f, err := os.CreateTemp(dir, pattern)
+	if err != nil {
+		return nil, err
+	}
+	// os.CreateTemp hardcodes 0600; relax to 0666 so umask controls final permissions
+	if err := f.Chmod(0666); err != nil {
+		f.Close()
+		os.Remove(f.Name())
+		return nil, err
+	}
+	return f, nil
 }
 
 func readFileOnce(filename string) ([]byte, error) {
diff --git a/util_windows.go b/util_windows.go
index ac0f76b..99074f0 100644
--- a/util_windows.go
+++ b/util_windows.go
@@ -61,7 +61,7 @@ func tempFileOnce(dir, pattern string) (f *os.File, err error) {
 	nconflict := 0
 	for i := 0; i < 10000; i++ {
 		name := filepath.Join(dir, prefix+nextRandom()+suffix)
-		f, err = goissue34681.OpenFile(name, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0600)
+		f, err = goissue34681.OpenFile(name, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0666)
 		if os.IsExist(err) {
 			if nconflict++; nconflict > 10 {
 				randmu.Lock()