diff --git a/virtcontainers/fc.go b/virtcontainers/fc.go
index 332c038cc6..8d7974655a 100644
--- a/virtcontainers/fc.go
+++ b/virtcontainers/fc.go
@@ -599,6 +599,11 @@ func (fc *firecracker) fcStartVM() error {
 		return err
 	}
 
+	// make sure 'others' don't have access to this socket
+	if err := os.Chmod(filepath.Join(fc.jailerRoot, defaultHybridVSocketName), 0640); err != nil {
+		return fmt.Errorf("Could not change socket permissions: %v", err)
+	}
+
 	fc.state.set(vmReady)
 	return nil
 }