diff --git a/roles/arch_boxes/tasks/main.yml b/roles/arch_boxes/tasks/main.yml
index 2bd1f8eb0f5f907ab251710846af4e33c35fac83..90949022d1e09d0900d6699f5c87cbe13e7d3346 100644
--- a/roles/arch_boxes/tasks/main.yml
+++ b/roles/arch_boxes/tasks/main.yml
@@ -20,7 +20,7 @@
   file: path="{{ archboxes_git_dir }}" state=directory recurse=yes owner="{{ archboxes_user }}" group="{{ archboxes_user }}" mode=preserve
 
 - name: ensure controller.py of arch-boxes is executable
-  file: path="{{ archboxes_git_dir }}/controller.py" mode=0744 owner=root group=root
+  file: path="{{ archboxes_git_dir }}/controller.py" mode=0755 owner=root group=root
 
 - name: replace placeholder to vagrantcloud API Key
   no_log: true
diff --git a/roles/archweb/tasks/main.yml b/roles/archweb/tasks/main.yml
index b327387ad12a333e71855e0c9a25b46b88fe9d87..df59d3875a64f2a391909745e07639e944522ad1 100644
--- a/roles/archweb/tasks/main.yml
+++ b/roles/archweb/tasks/main.yml
@@ -265,7 +265,7 @@
 - name: deploy new release
   become: true
   become_user: archweb
-  file: path=/etc/uwsgi/vassals/archweb.ini state=touch owner=root group=root mode=0600
+  file: path=/etc/uwsgi/vassals/archweb.ini state=touch owner=root group=root mode=0644
   when: archweb_site and (release.changed or config.changed or virtualenv.changed or archweb_forced_deploy)
   notify: restart archweb memcached
 
diff --git a/roles/gitlab_runner/tasks/main.yml b/roles/gitlab_runner/tasks/main.yml
index bc8eb4dfafcf26ad0ca0c11de7ea05529b26c5e2..c5e18fab1998a96f2988a348b9d63dffc19aee20 100644
--- a/roles/gitlab_runner/tasks/main.yml
+++ b/roles/gitlab_runner/tasks/main.yml
@@ -35,7 +35,7 @@
     path: /etc/gitlab-runner/config.toml
     owner: root
     group: root
-    mode: 0640
+    mode: 0600
     regexp: '^concurrent = .*'
     line: concurrent = 100
   notify: restart gitlab-runner