diff --git a/README-Docker.md b/README-Docker.md
index 27acf53aa..02b0dc5d7 100644
--- a/README-Docker.md
+++ b/README-Docker.md
@@ -15,6 +15,9 @@ To grant Syncthing additional capabilities without running as root, use the
 `PCAP` environment variable with the same syntax as that for `setcap(8)`.
 For example, `PCAP=cap_chown,cap_fowner+ep`.
 
+To set a different umask value, use the `UMASK` environment variable. For
+example `UMASK=002`.
+
 ## Example Usage
 
 **Docker cli**
diff --git a/script/docker-entrypoint.sh b/script/docker-entrypoint.sh
index af87ef80b..26a0c12c5 100755
--- a/script/docker-entrypoint.sh
+++ b/script/docker-entrypoint.sh
@@ -2,9 +2,11 @@
 
 set -eu
 
+[ -n "${UMASK:-}" ] && umask "$UMASK"
+
 if [ "$(id -u)" = '0' ]; then
   binary="$1"
-  if [ "${PCAP:-}" == "" ] ; then
+  if [ -z "${PCAP:-}" ]; then
     # If Syncthing should have no extra capabilities, make sure to remove them
     # from the binary. This will fail with an error if there are no
     # capabilities to remove, hence the || true etc.