diff --git a/src/modules/users/Config.h b/src/modules/users/Config.h
index 07fa40d1f..3640519dc 100644
--- a/src/modules/users/Config.h
+++ b/src/modules/users/Config.h
@@ -259,6 +259,9 @@ public:
     const QStringList& forbiddenLoginNames() const;
     const QStringList& forbiddenHostNames() const;
 
+    int homePermissions() const { return m_homeDirPermissions; }
+    int homeUMask() const { return m_homeDirPermissions >= 0 ? ( ( ~m_homeDirPermissions ) & 0777 ) : -1; }
+
 public Q_SLOTS:
     /** @brief Sets the user's shell if possible
      *
diff --git a/src/modules/users/users.conf b/src/modules/users/users.conf
index e6910bcd2..240489543 100644
--- a/src/modules/users/users.conf
+++ b/src/modules/users/users.conf
@@ -214,9 +214,15 @@ allowWeakPasswordsDefault: false
 #   contains "root" and "nobody", but may be extended to list other special
 #   names for a given distro (eg. "video", or "mysql" might not be a valid
 #   end-user login name).
+# - *home_permissions* Home directory of the user is given **approximately**
+#   this set of permissions. Write the permissions in octal. If not set,
+#   there is no default and no permission-setting is done (uses defaults of
+#   `useradd` in the target). A umask is computed from these permissions
+#   and passed to `useradd`.
 user:
   shell: /bin/bash
   forbidden_names: [ root ]
+  home_permissions: 0700
 
 
 # Hostname settings
diff --git a/src/modules/users/users.schema.yaml b/src/modules/users/users.schema.yaml
index c751a5226..e0647e497 100644
--- a/src/modules/users/users.schema.yaml
+++ b/src/modules/users/users.schema.yaml
@@ -13,6 +13,7 @@ properties:
             # User shell, should be path to /bin/sh or so
             shell: { type: string }
             forbidden_names: { type: array, items: { type: string } }
+            home_permissions: { type: string }
     # Group settings
     defaultGroups:
         type: array