diff --git a/docs/install.rst b/docs/install.rst
index a78ce74d..335ffbc6 100644
--- a/docs/install.rst
+++ b/docs/install.rst
@@ -100,11 +100,11 @@ errors with trying to create User settings.
 
    (substitute www-data for the user / group that your web server runs as, eg 'apache' or 'httpd')
 
-   If all else fails ensure all users can write to it::
+   If all else fails, you could ensure all users can write to it::
 
       chmod 777 attachments/
 
-   This is NOT recommended, especially if you're on a shared server.
+   But this is NOT recommended, especially if you're on a shared server.
 
 6. Ensure that your ``attachments`` folder has directory listings turned off, to ensure users don't download files that they are not specifically linked to from their tickets.
 
diff --git a/helpdesk/models.py b/helpdesk/models.py
index a8f649cd..c640edce 100644
--- a/helpdesk/models.py
+++ b/helpdesk/models.py
@@ -763,7 +763,8 @@ def attachment_path(instance, filename):
     att_path = os.path.join(settings.MEDIA_ROOT, path)
     if settings.DEFAULT_FILE_STORAGE == "django.core.files.storage.FileSystemStorage":
         if not os.path.exists(att_path):
-            os.makedirs(att_path, 0o777)
+            # TODO: is there a better way to handle directory permissions more consistently?
+            os.makedirs(att_path, 0o700)
     return os.path.join(path, filename)