diff --git a/l4d2web/services/overlay_builders.py b/l4d2web/services/overlay_builders.py
index 223aaca..da1d95c 100644
--- a/l4d2web/services/overlay_builders.py
+++ b/l4d2web/services/overlay_builders.py
@@ -192,6 +192,11 @@ def run_sandboxed_script(
     with tempfile.NamedTemporaryFile("w", suffix=".sh", delete=False) as f:
         f.write(script_text or "")
         script_path = f.name
+    # NamedTemporaryFile creates 0600 owned by the web user; the sandbox runs
+    # as l4d2-sandbox and needs to read it (bind-mounted at /script.sh inside
+    # the sandbox). Script content is not a secret — it's plain bash stored
+    # in the DB and editable by the user — so 0644 is appropriate.
+    os.chmod(script_path, 0o644)
     try:
         cmd = [
             "sudo",