diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md
index f59c3d88fdb3..3caa36ab22d8 100644
--- a/nixos/doc/manual/release-notes/rl-2411.section.md
+++ b/nixos/doc/manual/release-notes/rl-2411.section.md
@@ -49,6 +49,8 @@
   configuration of each individual instance.
   This requires migrating any previous configuration keys from
   `services.fcgiwrap.*` to `services.fcgiwrap.some-instance.*`.
+  The ownership and mode of the UNIX sockets created by this service are now
+  configurable and private by default.
 
 - `nvimpager` was updated to version 0.13.0, which changes the order of user and
   nvimpager settings: user commands in `-c` and `--cmd` now override the
diff --git a/nixos/modules/services/web-servers/fcgiwrap.nix b/nixos/modules/services/web-servers/fcgiwrap.nix
index 1dc9632e3513..6b633386089f 100644
--- a/nixos/modules/services/web-servers/fcgiwrap.nix
+++ b/nixos/modules/services/web-servers/fcgiwrap.nix
@@ -45,10 +45,55 @@ in {
           In case of a UNIX socket, this should be its filesystem path.
         '';
       };
+
+      socket.user = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = ''
+          User to be set as owner of the UNIX socket.
+          Defaults to the process running user.
+        '';
+      };
+
+      socket.group = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = ''
+          Group to be set as owner of the UNIX socket.
+          Defaults to the process running group.
+        '';
+      };
+
+      socket.mode = mkOption {
+        type = types.nullOr types.str;
+        default = if config.socket.type == "unix" then "0600" else null;
+        defaultText = literalExpression ''
+          if config.socket.type == "unix" then "0600" else null
+        '';
+        description = ''
+          Mode to be set on the UNIX socket.
+          Defaults to private to the socket's owner.
+        '';
+      };
     }; }));
   };
 
   config = {
+    assertions = concatLists (mapAttrsToList (name: cfg: [
+      {
+        assertion = cfg.socket.user != null -> cfg.socket.type == "unix";
+        message = "Socket owner can only be set for the UNIX socket type.";
+      }
+      {
+        assertion = cfg.socket.group != null -> cfg.socket.type == "unix";
+        message = "Socket owner can only be set for the UNIX socket type.";
+      }
+      {
+        assertion = cfg.socket.mode != null -> cfg.socket.type == "unix";
+        message = "Socket mode can only be set for the UNIX socket type.";
+      }
+    ]) config.services.fcgiwrap);
+
     systemd.services = forEachInstance (cfg: {
       after = [ "nss-user-lookup.target" ];
       wantedBy = optional (cfg.socket.type != "unix") "multi-user.target";
@@ -71,6 +116,9 @@ in {
       wantedBy = [ "sockets.target" ];
       socketConfig = {
         ListenStream = cfg.socket.address;
+        SocketUser = cfg.socket.user;
+        SocketGroup = cfg.socket.group;
+        SocketMode = cfg.socket.mode;
       };
     });
   };