diff --git a/config/config.sample.php b/config/config.sample.php
index 59ecb1d111a7a..bcd940f449b28 100644
--- a/config/config.sample.php
+++ b/config/config.sample.php
@@ -2613,6 +2613,13 @@
 	 */
 	'data-fingerprint' => '',
 
+	/**
+	 * config.php file mode in octal notation.
+	 *
+	 * Defaults to ``0640`` (writable by user, readable by group).
+	 */
+	'configfilemode' => 0640,
+
 	/**
 	 * This entry serves as a warning if the sample configuration was copied.
 	 * DO NOT ADD THIS TO YOUR CONFIGURATION!
diff --git a/lib/private/Config.php b/lib/private/Config.php
index 571c248330afc..ec380aedc5d0b 100644
--- a/lib/private/Config.php
+++ b/lib/private/Config.php
@@ -276,8 +276,9 @@ private function writeData(): void {
 		touch($this->configFilePath);
 		$filePointer = fopen($this->configFilePath, 'r+');
 
-		// Prevent others not to read the config
-		chmod($this->configFilePath, 0640);
+		// Apply permissions for config.php, defaulting to user read-write and group read
+		$permissions = $this->cache['configfilemode'] ?? 0640;
+		chmod($this->configFilePath, $permissions);
 
 		// File does not exist, this can happen when doing a fresh install
 		if (!is_resource($filePointer)) {