diff --git a/node/tools/src/bin/localnet_config.rs b/node/tools/src/bin/localnet_config.rs
index b39d2196..38a22bc9 100644
--- a/node/tools/src/bin/localnet_config.rs
+++ b/node/tools/src/bin/localnet_config.rs
@@ -4,8 +4,9 @@ use clap::Parser;
 use rand::{seq::SliceRandom as _, Rng};
 use std::{
     collections::{HashMap, HashSet},
-    fs,
+    fs::{self, Permissions},
     net::{Ipv4Addr, SocketAddr},
+    os::unix::fs::PermissionsExt,
     path::PathBuf,
 };
 use zksync_consensus_roles::{node, validator};
@@ -102,7 +103,13 @@ fn main() -> anyhow::Result<()> {
         let root = args.output_dir.join(&cfg.public_addr.0);
         let _ = fs::remove_dir_all(&root);
         fs::create_dir_all(&root).with_context(|| format!("create_dir_all({:?})", root))?;
-        fs::write(root.join("config.json"), encode_json(&Serde(cfg))).context("fs::write()")?;
+        fs::set_permissions(root.clone(), Permissions::from_mode(0o700))
+            .context("fs::set_permissions()")?;
+
+        let config_path = root.join("config.json");
+        fs::write(&config_path, encode_json(&Serde(cfg))).context("fs::write()")?;
+        fs::set_permissions(&config_path, Permissions::from_mode(0o600))
+            .context("fs::set_permissions()")?;
     }
     Ok(())
 }
diff --git a/node/tools/src/main.rs b/node/tools/src/main.rs
index 6553b905..0d6378ed 100644
--- a/node/tools/src/main.rs
+++ b/node/tools/src/main.rs
@@ -2,6 +2,8 @@
 //! manages communication between the actors. It is the main executable in this workspace.
 use anyhow::Context as _;
 use clap::Parser;
+use std::fs::Permissions;
+use std::os::unix::fs::PermissionsExt;
 use std::{fs, io::IsTerminal as _, path::PathBuf};
 use tracing::metadata::LevelFilter;
 use tracing_subscriber::{prelude::*, Registry};
@@ -53,8 +55,13 @@ async fn main() -> anyhow::Result<()> {
     tracing::trace!("Starting node");
 
     // Create log file.
-    fs::create_dir_all("logs/")?;
-    let log_file = fs::File::create("logs/output.log")?;
+    let dir_path = "logs/";
+    fs::create_dir_all(dir_path)?;
+    fs::set_permissions(dir_path, Permissions::from_mode(0o700))?;
+
+    let file_path = "logs/output.log";
+    let log_file = fs::File::create(file_path)?;
+    fs::set_permissions(file_path, Permissions::from_mode(0o600))?;
 
     // Create the logger for stdout. This will produce human-readable logs for ERROR events.
     // To see logs for other events, set the RUST_LOG environment to the desired level.