diff --git a/ChangeLog b/ChangeLog
index 63924d917..df1ac0733 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2009-09-10  Felix Zielcke  <fzielcke@z-51.de>
+
+	* util/grub-mkconfig.in: Make the created config mode 400 and
+	print a warning if it fails.
+
 2009-09-10  Robert Millan  <rmh.grub@aybabtu.com>
 
 	* util/grub.d/40_custom.in: Ask user to type custom entries below
diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
index d9640e910..a8c267518 100644
--- a/util/grub-mkconfig.in
+++ b/util/grub-mkconfig.in
@@ -232,7 +232,8 @@ if test "x${grub_cfg}" != "x"; then
 
   # Allow this to fail, since /boot/grub/ might need to be fatfs to support some
   # firmware implementations (e.g. OFW or EFI).
-  chmod 444 ${grub_cfg}.new || true
+  chmod 400 ${grub_cfg}.new || grub_warn "Could not make ${grub_cfg}.new readable by only root.\
+  This means that if the generated config contains a password it is readable by everyone"
 fi
 echo "Generating grub.cfg ..." >&2