diff --git a/go.mod b/go.mod
index e26fa6cf1..d00390c07 100644
--- a/go.mod
+++ b/go.mod
@@ -34,6 +34,7 @@ require (
 	golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3
 	golang.org/x/net v0.0.0-20220407224826-aac1ed45d8e3
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
+	golang.org/x/sys v0.0.0-20220412211240-33da011f77ad
 	google.golang.org/grpc v1.45.0
 	google.golang.org/grpc/cmd/protoc-gen-go-grpc v0.0.0-20200709232328-d8193ee9cc3e
 	google.golang.org/protobuf v1.28.0
@@ -147,7 +148,6 @@ require (
 	go.opentelemetry.io/proto/otlp v0.7.0 // indirect
 	golang.org/x/crypto v0.0.0-20220408190544-5352b0902921 // indirect
 	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
-	golang.org/x/sys v0.0.0-20220412211240-33da011f77ad // indirect
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
 	golang.org/x/text v0.3.7 // indirect
 	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
diff --git a/pkg/registry/query.go b/pkg/registry/query.go
index 23741e53a..4c4212217 100644
--- a/pkg/registry/query.go
+++ b/pkg/registry/query.go
@@ -17,6 +17,11 @@ import (
 	"github.com/operator-framework/operator-registry/pkg/api"
 )
 
+const (
+	cachePermissionDir  = 0750
+	cachePermissionFile = 0640
+)
+
 type Querier struct {
 	*cache
 }
@@ -423,7 +428,7 @@ func newEphemeralCache() (*cache, error) {
 	if err != nil {
 		return nil, err
 	}
-	if err := os.MkdirAll(filepath.Join(baseDir, "cache"), 0700); err != nil {
+	if err := os.MkdirAll(filepath.Join(baseDir, "cache"), cachePermissionDir); err != nil {
 		return nil, err
 	}
 	return &cache{
@@ -434,7 +439,7 @@ func newEphemeralCache() (*cache, error) {
 }
 
 func newPersistentCache(baseDir string) (*cache, error) {
-	if err := os.MkdirAll(baseDir, 0700); err != nil {
+	if err := os.MkdirAll(baseDir, cachePermissionDir); err != nil {
 		return nil, err
 	}
 	qc := &cache{baseDir: baseDir, persist: true}
@@ -481,6 +486,10 @@ func (qc *cache) loadFromCache() error {
 }
 
 func (qc *cache) repopulateCache(model digestableModel) error {
+	// ensure that generated cache is available to all future users
+	oldUmask := umask(000)
+	defer umask(oldUmask)
+
 	m, err := model.GetModel()
 	if err != nil {
 		return err
@@ -494,7 +503,7 @@ func (qc *cache) repopulateCache(model digestableModel) error {
 			return err
 		}
 	}
-	if err := os.MkdirAll(filepath.Join(qc.baseDir, "cache"), 0700); err != nil {
+	if err := os.MkdirAll(filepath.Join(qc.baseDir, "cache"), cachePermissionDir); err != nil {
 		return err
 	}
 
@@ -507,7 +516,7 @@ func (qc *cache) repopulateCache(model digestableModel) error {
 	if err != nil {
 		return err
 	}
-	if err := os.WriteFile(filepath.Join(qc.baseDir, "cache", "packages.json"), packageJson, 0600); err != nil {
+	if err := os.WriteFile(filepath.Join(qc.baseDir, "cache", "packages.json"), packageJson, cachePermissionFile); err != nil {
 		return err
 	}
 
@@ -524,7 +533,7 @@ func (qc *cache) repopulateCache(model digestableModel) error {
 					return err
 				}
 				filename := filepath.Join(qc.baseDir, "cache", fmt.Sprintf("%s_%s_%s.json", p.Name, ch.Name, b.Name))
-				if err := os.WriteFile(filename, jsonBundle, 0666); err != nil {
+				if err := os.WriteFile(filename, jsonBundle, cachePermissionFile); err != nil {
 					return err
 				}
 				qc.apiBundles[apiBundleKey{p.Name, ch.Name, b.Name}] = filename
@@ -533,7 +542,7 @@ func (qc *cache) repopulateCache(model digestableModel) error {
 	}
 	computedHash, err := model.GetDigest()
 	if err == nil {
-		if err := os.WriteFile(filepath.Join(qc.baseDir, "digest"), []byte(computedHash), 0600); err != nil {
+		if err := os.WriteFile(filepath.Join(qc.baseDir, "digest"), []byte(computedHash), cachePermissionFile); err != nil {
 			return err
 		}
 	} else if !errors.Is(err, errNonDigestable) {
diff --git a/pkg/registry/syscall_unix.go b/pkg/registry/syscall_unix.go
new file mode 100644
index 000000000..b1edcf59f
--- /dev/null
+++ b/pkg/registry/syscall_unix.go
@@ -0,0 +1,8 @@
+//go:build !windows
+// +build !windows
+
+package registry
+
+import "golang.org/x/sys/unix"
+
+var umask = unix.Umask
diff --git a/pkg/registry/syscall_windows.go b/pkg/registry/syscall_windows.go
new file mode 100644
index 000000000..525c656f1
--- /dev/null
+++ b/pkg/registry/syscall_windows.go
@@ -0,0 +1,6 @@
+//go:build windows
+// +build windows
+
+package registry
+
+var umask = func(i int) int { return 0 }