diff --git a/doc/changelog b/doc/changelog
index 966e876e..05c02f09 100644
--- a/doc/changelog
+++ b/doc/changelog
@@ -5,6 +5,7 @@ Changelog
 	* Exception: No braces means author == Nico Schottelius
 
 2.0.11:
+	* Fix insecure file/directory creation: Use umask 077
 	* Add support for --remote-exec and --remote-copy parameters
 
 2.0.10: 2012-05-18
diff --git a/doc/dev/todo/TAKEME b/doc/dev/todo/TAKEME
index 11235f8a..87fc91c5 100644
--- a/doc/dev/todo/TAKEME
+++ b/doc/dev/todo/TAKEME
@@ -9,6 +9,8 @@ CORE
 - document and add paremeters for remote-copy and remote-exec!
     - remove hack, make a feature of it
 
+- remove var=foo calls on remote side. Use -o SendEnv (yeah, see ssh_config(5))
+
 TESTS
 -----
 - multiple defines of object:
diff --git a/lib/cdist/__init__.py b/lib/cdist/__init__.py
index 0817a1cb..b9289911 100644
--- a/lib/cdist/__init__.py
+++ b/lib/cdist/__init__.py
@@ -19,7 +19,17 @@
 #
 #
 
-VERSION     = "2.0.10"
+import os
+import subprocess
+
+try:
+    with open(os.devnull, 'w') as devnull:
+        here = os.path.dirname(os.path.realpath(__file__))
+        VERSION = subprocess.check_output(
+                    'cd "%s" && git describe' % here,
+                    stderr=devnull, shell=True).decode('utf-8')
+except:
+    VERSION     = "2.0.10"
 
 BANNER = """
              ..          .       .x+=:.        s
@@ -38,8 +48,6 @@ BANNER = """
 DOT_CDIST   = ".cdist"
 
 
-import os
-
 class Error(Exception):
     """Base exception class for this project"""
     pass
diff --git a/lib/cdist/exec/local.py b/lib/cdist/exec/local.py
index d3c6a0ce..e510a8fb 100644
--- a/lib/cdist/exec/local.py
+++ b/lib/cdist/exec/local.py
@@ -60,6 +60,9 @@ class Local(object):
 
         self.log = logging.getLogger(self.target_host)
 
+        # Setup file permissions using umask
+        os.umask(0o077)
+
     def create_directories(self):
         self.mkdir(self.out_path)
         self.mkdir(self.global_explorer_out_path)
@@ -73,8 +76,7 @@ class Local(object):
     def mkdir(self, path):
         """Create directory on the local side."""
         self.log.debug("Local mkdir: %s", path)
-        # FIXME: dont set mode here, fix unittest mkdtemp instead
-        os.makedirs(path, mode=0o700, exist_ok=True)
+        os.makedirs(path, exist_ok=True)
 
     def run(self, command, env=None, return_output=False):
         """Run the given command with the given environment.
diff --git a/lib/cdist/exec/remote.py b/lib/cdist/exec/remote.py
index 11b8c78e..fb90939d 100644
--- a/lib/cdist/exec/remote.py
+++ b/lib/cdist/exec/remote.py
@@ -105,6 +105,10 @@ class Remote(object):
         cmd = self._exec.split()
         cmd.append(self.target_host)
 
+        # Always call umask before actual call to ensure proper file permissions
+        cmd.append("umask 077;")
+
+        # FIXME: replace this by -o SendEnv name -o SendEnv name ... to ssh?
         # can't pass environment to remote side, so prepend command with
         # variable declarations
         if env: