diff --git a/pseudo_client.h b/pseudo_client.h
index 9d98ea1..83dbe08 100644
--- a/pseudo_client.h
+++ b/pseudo_client.h
@@ -88,12 +88,15 @@ extern int read_pidfile(FILE *, int *);
  * the user read/write/execute bits.  When storing to the database, though,
  * we mask out any such bits which weren't in the original mode.
  *
+ * Additional setuid/setgid modes are also filteed as they are unsafe as
+ * a real executable may allow someone to setuid/gid as the running user.
+ *
  * Note: PSEUDO_DB_MODE must be kept in sync with PSEUDO_FS_MODE, as the
  * former defined which filesystem mode bits must be loaded from the DB.
  *
  * Note: S_ISUID and S_ISGID may be stripped during a mkdir as a user,
  * account for this in PSEUDO_DB_MODE.
  */
-#define PSEUDO_FS_MODE(mode, isdir) (((mode) | S_IRUSR | S_IWUSR | ((isdir) ? S_IXUSR : 0)) & ~(S_IWGRP | S_IWOTH))
+#define PSEUDO_FS_MODE(mode, isdir) (((mode) | S_IRUSR | S_IWUSR | ((isdir) ? S_IXUSR : 0)) & ~(S_IWGRP | S_IWOTH | S_ISUID | S_ISGID))
 #define PSEUDO_DB_MODE(fs_mode, user_mode) (((fs_mode) & ~(S_IRUSR | S_IWUSR | S_IXUSR | S_IWGRP | S_IWOTH | S_ISUID | S_ISGID)) | ((user_mode) & (S_IRUSR | S_IWUSR | S_IXUSR | S_IWGRP | S_IWOTH | S_ISUID | S_ISGID)))