diff --git a/src/common/admin_socket.cc b/src/common/admin_socket.cc
index 36e198cb7bf..711d2040b17 100644
--- a/src/common/admin_socket.cc
+++ b/src/common/admin_socket.cc
@@ -299,6 +299,18 @@ void AdminSocket::chown(uid_t uid, gid_t gid)
   }
 }
 
+void AdminSocket::chmod(mode_t mode)
+{
+  if (m_sock_fd >= 0) {
+    int r = ::chmod(m_path.c_str(), mode);
+    if (r < 0) {
+      r = -errno;
+      lderr(m_cct) << "AdminSocket: failed to chmod socket: "
+                   << cpp_strerror(r) << dendl;
+    }
+  }
+}
+
 bool AdminSocket::do_accept()
 {
   struct sockaddr_un address;
diff --git a/src/common/admin_socket.h b/src/common/admin_socket.h
index 2529d547a77..44b8a52be2b 100644
--- a/src/common/admin_socket.h
+++ b/src/common/admin_socket.h
@@ -78,6 +78,7 @@ public:
   bool init(const std::string &path);
 
   void chown(uid_t uid, gid_t gid);
+  void chmod(mode_t mode);
 
 private:
   AdminSocket(const AdminSocket& rhs);
diff --git a/src/common/common_init.cc b/src/common/common_init.cc
index d4ed4f964df..ffe4baec797 100644
--- a/src/common/common_init.cc
+++ b/src/common/common_init.cc
@@ -24,6 +24,7 @@
 #include "common/safe_io.h"
 #include "common/valgrind.h"
 #include "common/version.h"
+#include "common/strtol.h"
 #include "include/color.h"
 
 #include <errno.h>
@@ -132,4 +133,23 @@ void common_init_finish(CephContext *cct)
       (cct->get_set_uid() || cct->get_set_gid())) {
     cct->get_admin_socket()->chown(cct->get_set_uid(), cct->get_set_gid());
   }
+
+  md_config_t *conf = cct->_conf;
+
+  if (!conf->admin_socket.empty() && !conf->admin_socket_mode.empty()) {
+    int ret = 0;
+    std::string err;
+
+    ret = strict_strtol(conf->admin_socket_mode.c_str(), 8, &err);
+    if (err.empty()) {
+      if (!(ret & (~ACCESSPERMS))) {
+        cct->get_admin_socket()->chmod(static_cast<mode_t>(ret));
+      } else {
+        lderr(cct) << "Invalid octal permissions string: "
+            << conf->admin_socket_mode << dendl;
+      }
+    } else {
+      lderr(cct) << "Invalid octal string: " << err << dendl;
+    }
+  }
 }
diff --git a/src/common/config_opts.h b/src/common/config_opts.h
index 63babc2fe87..b7787ac7979 100644
--- a/src/common/config_opts.h
+++ b/src/common/config_opts.h
@@ -27,6 +27,7 @@ OPTION(lockdep, OPT_BOOL, false)
 OPTION(lockdep_force_backtrace, OPT_BOOL, false) // always gather current backtrace at every lock
 OPTION(run_dir, OPT_STR, "/var/run/ceph")       // the "/var/run/ceph" dir, created on daemon startup
 OPTION(admin_socket, OPT_STR, "$run_dir/$cluster-$name.asok") // default changed by common_preinit()
+OPTION(admin_socket_mode, OPT_STR, "") // permission bits to set for admin socket file, e.g., "0775", "0755"
 OPTION(crushtool, OPT_STR, "crushtool") // crushtool utility path
 
 OPTION(daemonize, OPT_BOOL, false) // default changed by common_preinit()