diff --git a/cmd/launcher/launcher.go b/cmd/launcher/launcher.go
index d620b7b39..67211d005 100644
--- a/cmd/launcher/launcher.go
+++ b/cmd/launcher/launcher.go
@@ -18,6 +18,7 @@ import (
 	"github.com/apache/thrift/lib/go/thrift"
 	"github.com/go-kit/kit/log"
 	"github.com/go-kit/kit/log/level"
+	"github.com/kolide/kit/fsutil"
 	"github.com/kolide/kit/logutil"
 	"github.com/kolide/kit/ulid"
 	"github.com/kolide/kit/version"
@@ -110,9 +111,22 @@ func runLauncher(ctx context.Context, cancel func(), opts *launcher.Options) err
 		)
 	}
 
-	if err := os.MkdirAll(rootDirectory, 0700); err != nil {
+	if err := os.MkdirAll(rootDirectory, fsutil.DirMode); err != nil {
 		return fmt.Errorf("creating root directory: %w", err)
 	}
+	// Ensure permissions are correct, regardless of umask settings -- we use
+	// DirMode (0755) because the desktop processes that run as the user
+	// must be able to access the root directory as well.
+	if err := os.Chmod(rootDirectory, fsutil.DirMode); err != nil {
+		return fmt.Errorf("chmodding root directory: %w", err)
+	}
+	if filepath.Dir(rootDirectory) == "/var/kolide-k2" {
+		// We need to ensure the same for the parent of the root directory, but we only
+		// want to do the same for Kolide-created directories.
+		if err := os.Chmod(filepath.Dir(rootDirectory), fsutil.DirMode); err != nil {
+			return fmt.Errorf("chmodding root directory parent: %w", err)
+		}
+	}
 
 	if _, err := osquery.DetectPlatform(); err != nil {
 		return fmt.Errorf("detecting platform: %w", err)