diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 8f97e53..e48f8b4 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -42,3 +42,18 @@ jobs:
           license: MPL-2.0
           binary: ${{ steps.build.outputs.binary-path }}
           bin_path: /usr/local/bin
+          file_permissions: 0o027
+          user_owner: root
+          group_owner: vault
+
+      - name: dump RPM
+        run: |
+          echo "::group::maybe install rpm" 1>&2
+          # runner is ubuntu, install rpm if it's not already available
+          which rpm || apt install -y rpm
+          echo "::endgroup::" 1>&2
+          rpm -qplv out/*.rpm
+
+      - name: dump deb
+        run: |
+          dpkg -c out/*.deb
diff --git a/action.yml b/action.yml
index 23ec693..dce3542 100644
--- a/action.yml
+++ b/action.yml
@@ -56,6 +56,18 @@ inputs:
     description: 'Path to install the binary at'
     default: '/usr/bin'
     required: false
+  file_permissions:
+    description: 'File permissions applied to all files in the package; specify in yaml/octal format: `0o022`; if empty, permissions are unmodified.'
+    default: ''
+    required: false
+  user_owner:
+    description: 'The user name or ID that should own the files in the package; e.g.: root'
+    default: ''
+    required: false
+  group_owner:
+    description: 'The group name or ID that should own the files in the package; e.g.: root'
+    default: ''
+    required: false
   config_dir:
     description: 'Directory of configs in desired filesystem structure.'
     default: ''
@@ -197,6 +209,9 @@ runs:
         INPUT_DEPENDS: ${{ inputs.depends }}
         INPUT_BINARY: ${{ inputs.binary }}
         INPUT_BIN_PATH: ${{ inputs.bin_path }}
+        INPUT_FILEPERMISSIONS: ${{ inputs.file_permissions }}
+        INPUT_USEROWNER: ${{ inputs.user_owner }}
+        INPUT_GROUPOWNER: ${{ inputs.group_owner }}
         INPUT_CONFIG_DIR: ${{ inputs.config_dir }}
         INPUT_PREINSTALL: ${{ inputs.preinstall }}
         INPUT_POSTINSTALL: ${{ inputs.postinstall }}
diff --git a/fpm_template.go b/fpm_template.go
index 8b5d48d..708c3e7 100644
--- a/fpm_template.go
+++ b/fpm_template.go
@@ -12,21 +12,24 @@ import (
 )
 
 type NfpmInput struct {
-	Name        string
-	Arch        string
-	Version     string
-	Maintainer  string
-	Vendor      string
-	Description string
-	Homepage    string
-	License     string
-	Depends     []string
-	Binary      string
-	BinaryDest  string
-	Preinstall  string
-	Postinstall string
-	Preremove   string
-	Postremove  string
+	Name            string
+	Arch            string
+	Version         string
+	Maintainer      string
+	Vendor          string
+	Description     string
+	Homepage        string
+	License         string
+	Depends         []string
+	Binary          string
+	BinaryDest      string
+	Preinstall      string
+	Postinstall     string
+	Preremove       string
+	Postremove      string
+	UserOwner       string
+	GroupOwner      string
+	FilePermissions string
 
 	ConfigFiles []*ConfigFile
 }
@@ -90,6 +93,9 @@ func main() {
 	inputPostinstall := os.Getenv("INPUT_POSTINSTALL")
 	inputPreremove := os.Getenv("INPUT_PREREMOVE")
 	inputPostremove := os.Getenv("INPUT_POSTREMOVE")
+	inputPermissions := os.Getenv("INPUT_FILEPERMISSIONS")
+	inputUserOwner := os.Getenv("INPUT_USEROWNER")
+	inputGroupOwner := os.Getenv("INPUT_GROUPOWNER")
 
 	depends := strings.Split(inputDepends, ",")
 	if inputDepends == "" {
@@ -109,21 +115,24 @@ func main() {
 	}
 
 	input := &NfpmInput{
-		Name:        inputName,
-		Arch:        inputArch,
-		Version:     inputVersion,
-		Maintainer:  inputMaintainer,
-		Vendor:      inputVendor,
-		Description: inputDescription,
-		Homepage:    inputHomepage,
-		License:     inputLicense,
-		Depends:     depends,
-		Binary:      inputBinary,
-		BinaryDest:  binDest,
-		Preinstall:  inputPreinstall,
-		Postinstall: inputPostinstall,
-		Preremove:   inputPreremove,
-		Postremove:  inputPostremove,
+		Name:            inputName,
+		Arch:            inputArch,
+		Version:         inputVersion,
+		Maintainer:      inputMaintainer,
+		Vendor:          inputVendor,
+		Description:     inputDescription,
+		Homepage:        inputHomepage,
+		License:         inputLicense,
+		Depends:         depends,
+		Binary:          inputBinary,
+		BinaryDest:      binDest,
+		Preinstall:      inputPreinstall,
+		Postinstall:     inputPostinstall,
+		Preremove:       inputPreremove,
+		Postremove:      inputPostremove,
+		FilePermissions: inputPermissions,
+		UserOwner:       inputUserOwner,
+		GroupOwner:      inputGroupOwner,
 	}
 
 	input.ConfigFiles = findConfigs(inputConfigDir)
@@ -153,16 +162,40 @@ depends:
   - {{ . }}
 {{- end }}
 {{- end }}
+{{- if ne .FilePermissions "" }}
+umask: {{ .FilePermissions }}
+{{- end }}
 contents:
 {{- if ne .Binary "" }}
   - src: {{ .Binary }}
     dst: {{ .BinaryDest }}
+{{- if or (ne .UserOwner "") (ne .GroupOwner "") }}
+    file_info:
+{{- if ne .UserOwner "" }}
+      owner: root
+{{- end }}
+{{- if ne .GroupOwner "" }}
+      group: vault
+{{- end }}
+{{- end }}
 {{- end }}
+{{- /* capture ownership for use in .ConfigFiles subcontext */ -}}
+{{- $userOwner := .UserOwner }}
+{{- $groupOwner := .GroupOwner }}
 {{- with .ConfigFiles }}
 {{- range $index, $element := . }}
   - src: {{ .LocalPath }}
     dst: {{ .DestPath }}
     type: config|noreplace
+{{- if or (ne $userOwner "") (ne $groupOwner "") }}
+    file_info:
+{{- if ne $userOwner "" }}
+      owner: root
+{{- end }}
+{{- if ne $groupOwner "" }}
+      group: vault
+{{- end }}
+{{- end }}
 {{- end }}
 {{- end }}
 scripts: