diff --git a/ChangeLog b/ChangeLog
index 326a23e2..67a66bc0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -62,6 +62,8 @@ fwknop-2.0.2 (08//2012):
       match exists to ensure the proper environment for fwknopd operations.
       This check is controlled by the new ENABLE_IPT_COMMENT_CHECK variable,
       and was suggested by Hank Leininger.
+    - [server] 'make install' fix to ensure restrictive permissions on the
+      /etc/fwknop/ directory and /etc/fwknop/* files.
 
 fwknop-2.0.1 (07/23/2012):
     - [server] Bug fix where the same encryption key used for two stanzas in
diff --git a/Makefile.am b/Makefile.am
index 0c296841..68eb30bd 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -169,3 +169,6 @@ dist-hook:
 	rm -f $(distdir)/client/fwknop.8
 	rm -f $(distdir)/server/fwknopd.8
 
+install-exec-hook:
+	chmod 500 $(sysconfdir)/fwknop
+	chmod 700 $(sysconfdir)/fwknop/*
diff --git a/todo.org b/todo.org
index 322b01db..2a6aaa85 100644
--- a/todo.org
+++ b/todo.org
@@ -6,6 +6,9 @@
     :CLOSED: <2012-08-12 Sun>
    Hank Leininger suggested that fwknopd do better detection for the iptables
    comment match since it is required for the expiration of SPA rules.
+*** Set restrictive permissions on /etc/fwknop/ directory and /etc/fwknop/* files.
+    :CLOSED: <2012-08-12 Sun>
+    Current default permissions on /etc/fwknop/ and /etc/fwknop/* are too lax.
 ** Include files for access.conf
    Hank Leininger suggested that the main access.conf file have an option to
    include other files in which access stanzas can be specified.  This makes
@@ -17,5 +20,3 @@
 ** ipfw active/expire sets cannot be the same
    Add a check to ensure that active and expire sets are not the same value in
    fwknopd.conf, and add a corresponding test in the test suite.
-** Set restrictive permissions on /etc/fwknop/ directory and /etc/fwknop/* files.
-   Current default permissions on /etc/fwknop/ and /etc/fwknop/* are too lax.