diff --git a/ChangeLog b/ChangeLog
index f63e3b753..21ccd0223 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2012-02-03  Mark Wooding <mdw@distorted.org.uk>
+
+	* util/grub-mkconfig.in: Use umask rather than chmod to create
+	grub.cfg.new to avoid insecure grub.cfg.
+
 2012-02-03  Vladimir Serbinenko  <phcoder@gmail.com>
 
         * grub-core/commands/ls.c: Gettextize.
diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
index c876a4e4c..859c2e8c3 100644
--- a/util/grub-mkconfig.in
+++ b/util/grub-mkconfig.in
@@ -248,13 +248,10 @@ export GRUB_DEFAULT \
   GRUB_BADRAM
 
 if test "x${grub_cfg}" != "x"; then
-  rm -f ${grub_cfg}.new
-  exec > ${grub_cfg}.new
-
-  # Allow this to fail, since /boot/grub/ might need to be fatfs to support some
-  # firmware implementations (e.g. OFW or EFI).
-  chmod 400 ${grub_cfg}.new || grub_warn "$(gettext_printf "Could not make %s \
-readable by only root. This means that if the generated config contains a password it is readable by everyone" "${grub_cfg}.new")"
+  rm -f "${grub_cfg}.new"
+  oldumask=$(umask); umask 077
+  exec > "${grub_cfg}.new"
+  umask $oldumask
 fi
 gettext "Generating grub.cfg ..." >&2
 echo >&2