diff --git a/drb-c2-core/mosquitto/entrypoint.sh b/drb-c2-core/mosquitto/entrypoint.sh
index a3f9035..e8b52fa 100644
--- a/drb-c2-core/mosquitto/entrypoint.sh
+++ b/drb-c2-core/mosquitto/entrypoint.sh
@@ -28,6 +28,10 @@ fi
 mosquitto_passwd -c -b "$PASSWD_FILE" "$MQTT_C2_USER"   "$MQTT_C2_PASS"
 mosquitto_passwd    -b "$PASSWD_FILE" "$MQTT_NODE_USER" "$MQTT_NODE_PASS"
 
+# mosquitto_passwd creates the file 0600 (root-only); mosquitto drops to
+# the mosquitto user before reading it, so make it world-readable.
+chmod 644 "$PASSWD_FILE"
+
 echo "Mosquitto: password file written for users: $MQTT_C2_USER, $MQTT_NODE_USER"
 
 exec /usr/sbin/mosquitto -c /mosquitto/config/mosquitto.conf