diff --git a/examples/rotuer.nix b/examples/rotuer.nix
index c7c443fa..bfe1c412 100644
--- a/examples/rotuer.nix
+++ b/examples/rotuer.nix
@@ -128,6 +128,7 @@ in rec {
       ( in_outputs ${name}
        echo "nameserver $(output ${services.wan} ns1)" > resolv.conf
        echo "nameserver $(output ${services.wan} ns2)" >> resolv.conf
+       chmod 0444 resolv.conf
       )
     '';
     down = ''
diff --git a/modules/ntp/service.nix b/modules/ntp/service.nix
index 49f00b52..6f83a21a 100644
--- a/modules/ntp/service.nix
+++ b/modules/ntp/service.nix
@@ -22,7 +22,7 @@ let
     ++
     (mapAttrsToList (name: opts: "peer ${name} ${concatStringsSep "" opts}")
       p.peers)
-    ++ [ "user ${p.user}" ]
+    ++ lib.optional (p.user != null) "user ${p.user}"
     ++ (lib.optional (p.makestep != null) "makestep ${toString p.makestep.threshold} ${toString p.makestep.limit}")
     ++ (map (n: "allow ${n}") p.allow)
     ++ (lib.optional (p.bindaddress != null) "bindaddress ${p.bindaddress}")
diff --git a/modules/s6/scripts/rc.init b/modules/s6/scripts/rc.init
index 9c0747de..d689282c 100755
--- a/modules/s6/scripts/rc.init
+++ b/modules/s6/scripts/rc.init
@@ -21,7 +21,7 @@ mount -t sysfs none /sys
 mkdir /dev/pts
 mount -t devpts none /dev/pts
 
-mkdir -m 0750 /run/service-state
+mkdir -m 0751 /run/service-state
 chgrp system /run/service-state
 
 ### If your services are managed by s6-rc:
diff --git a/pkgs/service-fns/default.nix b/pkgs/service-fns/default.nix
index 15c53002..c16c44ca 100644
--- a/pkgs/service-fns/default.nix
+++ b/pkgs/service-fns/default.nix
@@ -4,7 +4,7 @@ writeText "service-fns.sh" ''
   output_path() { echo $(realpath $1/.outputs)/$2; }
   mkoutputs() {
     d=/run/service-state/$1
-    mkdir -m 2750 -p $d && chown root:system $d
+    mkdir -m 2751 -p $d && chown root:system $d
     echo $d
   }
   in_outputs() {