diff --git a/src/connect/client/grpc/client_base.h b/src/connect/client/grpc/client_base.h
index b7d200cfda29a505ef1d65e7f09cb83fc1e3b5a3..dabf0e449b4cb4e901e407d6aa9db6532a2de482 100644
--- a/src/connect/client/grpc/client_base.h
+++ b/src/connect/client/grpc/client_base.h
@@ -196,7 +196,7 @@ protected:
         // Set common name from cert.perm
         char common_name_value[ClientBaseConstants::COMMON_NAME_LEN] = { 0 };
         int ret = get_common_name_from_tls_cert(m_certFile.c_str(), common_name_value,
-                                            ClientBaseConstants::COMMON_NAME_LEN);
+                                                ClientBaseConstants::COMMON_NAME_LEN);
         if (ret != 0) {
             ERROR("Failed to get common name in: %s", m_certFile.c_str());
             return -1;
diff --git a/src/constants.h b/src/constants.h
index 973b006d8a6b59f8f1325a50d44d1da3a5fff923..55fb03cb3df64233a305edb67dd04d5f68b7afa3 100644
--- a/src/constants.h
+++ b/src/constants.h
@@ -46,6 +46,8 @@
 
 #define DEBUG_DIRECTORY_MODE 0750
 
+#define NETWORK_MOUNT_FILE_MODE 0644
+
 #define ISULAD_CONFIG "/etc/isulad"
 
 #define ISULAD_DAEMON_JSON_CONF_FILE ISULAD_CONFIG "/daemon.json"
diff --git a/src/cutils/utils_file.c b/src/cutils/utils_file.c
index 182570d46ada17826eb4ac744c7681646865b383..d63dc3ab1774b2e015083c81e6afba92a6ab1ebb 100644
--- a/src/cutils/utils_file.c
+++ b/src/cutils/utils_file.c
@@ -822,7 +822,7 @@ free_out:
     return ret;
 }
 
-int util_write_file(const char *fname, const char *content, size_t content_len)
+int util_write_file(const char *fname, const char *content, size_t content_len, mode_t mode)
 {
     int ret = 0;
     int dst_fd = -1;
@@ -834,7 +834,7 @@ int util_write_file(const char *fname, const char *content, size_t content_len)
     if (content == NULL || content_len == 0) {
         return 0;
     }
-    dst_fd = util_open(fname, O_WRONLY | O_CREAT | O_TRUNC, DEFAULT_SECURE_FILE_MODE);
+    dst_fd = util_open(fname, O_WRONLY | O_CREAT | O_TRUNC, mode);
     if (dst_fd < 0) {
         ERROR("Creat file: %s, failed: %s", fname, strerror(errno));
         ret = -1;
@@ -877,7 +877,7 @@ char *verify_file_and_get_real_path(const char *file)
     return util_strdup_s(resolved_path);
 }
 
-int util_copy_file(const char *src_file, const char *dst_file)
+int util_copy_file(const char *src_file, const char *dst_file, mode_t mode)
 {
 #define BUFSIZE 4096
     int ret = 0;
@@ -902,7 +902,7 @@ int util_copy_file(const char *src_file, const char *dst_file)
         ret = -1;
         goto free_out;
     }
-    dst_fd = util_open(dst_file, O_WRONLY | O_CREAT | O_TRUNC, DEFAULT_SECURE_FILE_MODE);
+    dst_fd = util_open(dst_file, O_WRONLY | O_CREAT | O_TRUNC, mode);
     if (dst_fd < 0) {
         ERROR("Creat file: %s, failed: %s", dst_file, strerror(errno));
         ret = -1;
diff --git a/src/cutils/utils_file.h b/src/cutils/utils_file.h
index d868fa722df856f3c40e1df1cd3b7e31797598f9..83aead75ab21b82e03ebfa5e75f85f5cb3e24055 100644
--- a/src/cutils/utils_file.h
+++ b/src/cutils/utils_file.h
@@ -69,11 +69,11 @@ int util_file2str(const char *filename, char *buf, size_t len);
 
 char *look_path(const char *file, char **err);
 
-int util_write_file(const char *fname, const char *content, size_t content_len);
+int util_write_file(const char *fname, const char *content, size_t content_len, mode_t mode);
 
 char *verify_file_and_get_real_path(const char *file);
 
-int util_copy_file(const char *src_file, const char *dst_file);
+int util_copy_file(const char *src_file, const char *dst_file, mode_t mode);
 
 #ifdef __cplusplus
 }
diff --git a/src/runtime/isula/isula_rt_ops.c b/src/runtime/isula/isula_rt_ops.c
index 6c98adb7234b536c3ca9353635bb4a1bd4095e93..ad3dcd1da51fdb003b67c273711b9a89faf5bbb2 100644
--- a/src/runtime/isula/isula_rt_ops.c
+++ b/src/runtime/isula/isula_rt_ops.c
@@ -60,7 +60,7 @@ static int file_write_int(const char *fname, int val)
         return -1;
     }
 
-    if (util_write_file(fname, sint, strlen(sint)) < 0) {
+    if (util_write_file(fname, sint, strlen(sint), DEFAULT_SECURE_FILE_MODE) < 0) {
         return -1;
     }
 
@@ -188,7 +188,7 @@ static int create_process_json_file(const char *workdir, const shim_client_proce
         goto out;
     }
 
-    if (util_write_file(fname, data, strlen(data)) != 0) {
+    if (util_write_file(fname, data, strlen(data), DEFAULT_SECURE_FILE_MODE) != 0) {
         retcode = -1;
         ERROR("failed write process.json");
         goto out;
diff --git a/src/services/cri/cni_network_plugin.cc b/src/services/cri/cni_network_plugin.cc
index 8c7f286a9ccd2b836046349263af1873288da781..c34ce044b294587305ccd8d7f396cf26584d39c9 100644
--- a/src/services/cri/cni_network_plugin.cc
+++ b/src/services/cri/cni_network_plugin.cc
@@ -33,7 +33,7 @@ static std::string VendorCNIDir(const std::string &prefix, const std::string &pl
 static std::unique_ptr<CNINetwork> GetLoNetwork(const std::string &binDir, const std::string &vendorDirPrefix)
 {
     const std::string loNetConfListJson { "{\"cniVersion\": \"0.3.0\", \"name\": \"cni-loopback\","
-                                          "\"plugins\":[{\"type\": \"loopback\" }]}" };
+        "\"plugins\":[{\"type\": \"loopback\" }]}" };
 
     char *cerr { nullptr };
     struct cni_network_list_conf *loConf {
diff --git a/src/services/cri/cri_sandbox.cc b/src/services/cri/cri_sandbox.cc
index 60db1c9e868d1fbb591213b198a28871a435bfa7..a8fe3a5084fdc6bb1dd44e1a9eeee7d983594ae7 100644
--- a/src/services/cri/cri_sandbox.cc
+++ b/src/services/cri/cri_sandbox.cc
@@ -307,7 +307,7 @@ void CRIRuntimeServiceImpl::SetupSandboxFiles(const std::string &resolvPath,
 
     if (!resolvContentStrs.empty()) {
         std::string resolvContent = CXXUtils::StringsJoin(resolvContentStrs, "\n") + "\n";
-        if (util_write_file(resolvPath.c_str(), resolvContent.c_str(), resolvContent.size()) != 0) {
+        if (util_write_file(resolvPath.c_str(), resolvContent.c_str(), resolvContent.size(), DEFAULT_SECURE_FILE_MODE) != 0) {
             error.SetError("Failed to write resolv content");
         }
     }
diff --git a/src/services/execution/execute/execution_network.c b/src/services/execution/execute/execution_network.c
index 5376fbb4b250138a10439cc915a1586812458cbe..d70d921c259b1f14d9620c05dcd217b5e73286b5 100644
--- a/src/services/execution/execute/execution_network.c
+++ b/src/services/execution/execute/execution_network.c
@@ -48,7 +48,7 @@ static int write_hostname_to_file(const char *rootfs, const char *hostname)
         goto error_out;
     }
     if (hostname != NULL) {
-        ret = util_write_file(file_path, hostname, strlen(hostname));
+        ret = util_write_file(file_path, hostname, strlen(hostname), NETWORK_MOUNT_FILE_MODE);
         if (ret) {
             SYSERROR("Failed to write %s", file_path);
             isulad_set_error_message("Failed to write %s: %s", file_path, strerror(errno));
@@ -140,7 +140,7 @@ static int write_content_to_file(const char *file_path, const char *content)
     int ret = 0;
 
     if (content != NULL) {
-        ret = util_write_file(file_path, content, strlen(content));
+        ret = util_write_file(file_path, content, strlen(content), NETWORK_MOUNT_FILE_MODE);
         if (ret != 0) {
             SYSERROR("Failed to write file %s", file_path);
             isulad_set_error_message("Failed to write file %s: %s", file_path, strerror(errno));
@@ -869,7 +869,7 @@ static int create_default_hostname(const char *id, const char *rootpath, bool sh
     }
 
 
-    if (util_write_file(file_path, hostname_content, strlen(hostname_content)) != 0) {
+    if (util_write_file(file_path, hostname_content, strlen(hostname_content), NETWORK_MOUNT_FILE_MODE) != 0) {
         ERROR("Failed to create default hostname");
         ret = -1;
         goto out;
@@ -915,7 +915,7 @@ static int write_default_hosts(const char *file_path, const char *hostname)
         goto out_free;
     }
 
-    ret = util_write_file(file_path, content, strlen(content));
+    ret = util_write_file(file_path, content, strlen(content), NETWORK_MOUNT_FILE_MODE);
     if (ret != 0) {
         ret = -1;
         goto out_free;
@@ -941,7 +941,7 @@ static int create_default_hosts(const char *id, const char *rootpath, bool share
     }
 
     if (share_host && util_file_exists(ETC_HOSTS)) {
-        ret = util_copy_file(ETC_HOSTS, file_path);
+        ret = util_copy_file(ETC_HOSTS, file_path, NETWORK_MOUNT_FILE_MODE);
     } else {
         ret = write_default_hosts(file_path, v2_spec->config->hostname);
     }
@@ -962,7 +962,7 @@ static int write_default_resolve(const char *file_path)
 {
     const char *default_ipv4_dns = "\nnameserver 8.8.8.8\nnameserver 8.8.4.4\n";;
 
-    return util_write_file(file_path, default_ipv4_dns, strlen(default_ipv4_dns));
+    return util_write_file(file_path, default_ipv4_dns, strlen(default_ipv4_dns), NETWORK_MOUNT_FILE_MODE);
 }
 
 static int create_default_resolv(const char *id, const char *rootpath, container_config_v2_common_config *v2_spec)
@@ -978,7 +978,7 @@ static int create_default_resolv(const char *id, const char *rootpath, container
     }
 
     if (util_file_exists(RESOLV_CONF_PATH)) {
-        ret = util_copy_file(RESOLV_CONF_PATH, file_path);
+        ret = util_copy_file(RESOLV_CONF_PATH, file_path, NETWORK_MOUNT_FILE_MODE);
     } else {
         ret = write_default_resolve(file_path);
     }
diff --git a/src/services/execution/spec/specs.c b/src/services/execution/spec/specs.c
index 075bd2871dcfa399cc841618e44b07009132dbd2..bf399b5e9b13add9769071b3a078e159e37628ab 100644
--- a/src/services/execution/spec/specs.c
+++ b/src/services/execution/spec/specs.c
@@ -2167,7 +2167,7 @@ int save_oci_config(const char *id, const char *rootpath, const oci_runtime_spec
         goto out_free;
     }
 
-    if (util_write_file(file_path, json_container, strlen(json_container)) != 0) {
+    if (util_write_file(file_path, json_container, strlen(json_container), DEFAULT_SECURE_FILE_MODE) != 0) {
         ERROR("write json container failed: %s", strerror(errno));
         ret = -1;
         goto out_free;
diff --git a/test/services/execution/spec/selinux_label_mock_llt.cc b/test/services/execution/spec/selinux_label_mock_llt.cc
index a8ce4a5e3a0998e2b07f4af9e917a161f6440d94..da719bdd55ff76c6d3655aa28e8f156058324850 100644
--- a/test/services/execution/spec/selinux_label_mock_llt.cc
+++ b/test/services/execution/spec/selinux_label_mock_llt.cc
@@ -56,7 +56,7 @@ TEST_F(SELinuxGetEnableUnitTest, test_selinux_get_enable_normal)
     const uint32_t selinuxfsMagic = 0xf97cff8c;
     struct statfs sfbuf {
         .f_type = selinuxfsMagic,
-        .f_flags = 0
+         .f_flags = 0
     };
 
     EXPECT_CALL(m_syscall, Statfs(_, _))