diff --git a/roles/web-logs/files/sync-http-logs.sh b/roles/web-logs/files/sync-http-logs.sh
index 0846385..0c77cb3 100755
--- a/roles/web-logs/files/sync-http-logs.sh
+++ b/roles/web-logs/files/sync-http-logs.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 
 set -u
-umask 022
+umask 027
 
 TARGET="/var/cache/sync-http-logs"
 CONFIG="/etc/rclone/rclone.conf"
@@ -10,6 +10,11 @@ RCLONE="/usr/local/bin/rclone"
 
 timestamp="$(date +%Y%m%d%H%M%S)"
 
+if [ "$(whoami)" != "logsync" ]; then
+    echo "ERR: Script needs to be run as logsync user" 1>&2
+    exit 1
+fi
+
 if [ ! -d "$TARGET" ]; then
     echo "ERR: Destination directory '${TARGET}' does not exist" 1>&2
     exit 1
diff --git a/roles/web-logs/tasks/main.yml b/roles/web-logs/tasks/main.yml
index b377af9..ccbe6ad 100644
--- a/roles/web-logs/tasks/main.yml
+++ b/roles/web-logs/tasks/main.yml
@@ -6,6 +6,21 @@
   with_items:
     - rclone
 
+- name: create logsync group
+  group:
+    name: logsync
+    system: true
+
+- name: create logsync user
+  user:
+    name: logsync
+    comment: Service logsync
+    createhome: false
+    group: logsync
+    home: /var/empty
+    shell: /sbin/nologin
+    system: true
+
 - name: create ssh known_hosts
   template:
     dest: /etc/ssh/ssh_known_hosts
@@ -18,9 +33,9 @@
   file:
     path: "{{ item }}"
     state: directory
-    mode: 0755
-    owner: root
-    group: "{{ ansible_wheel }}"
+    mode: 0750
+    owner: logsync
+    group: logsync
   with_items:
     - /var/cache/sync-http-logs
 
@@ -28,8 +43,8 @@
   file:
     path: /var/log/rclone
     state: directory
-    mode: 0755
-    owner: root
+    mode: 0750
+    owner: logsync
     group: "{{ ansible_wheel }}"
 
 - name: copy logsync script
@@ -59,7 +74,7 @@
 - name: add log sync cron job
   cron:
     name: sync-http-logs
-    user: root
+    user: logsync
     hour: "3"
     minute: "0"
     job: /usr/local/bin/sync-http-logs