diff --git a/backport-Make-systemd-use-0700-mode-on-cache-folders.patch b/backport-Make-systemd-use-0700-mode-on-cache-folders.patch
new file mode 100644
index 0000000000000000000000000000000000000000..4ba759bb8e7cfbb79569ce06b4df62d0fb3de7e5
--- /dev/null
+++ b/backport-Make-systemd-use-0700-mode-on-cache-folders.patch
@@ -0,0 +1,30 @@
+From b954728937c09a40409279d1247679aa5d39c7c8 Mon Sep 17 00:00:00 2001
+From: Julien Rische <jrische@redhat.com>
+Date: Wed, 7 Aug 2024 10:27:39 +0200
+Subject: [PATCH] Make systemd use 0700 mode on cache folders
+
+The provided gssproxy.service unit configures /var/lib/gssproxy/clients
+and /var/lib/gssproxy/rcache as "StateDirectory". However, systemd
+applies mode 0755 by default on such folders. "StateDirectoryMode" has
+to be set too to restrict access to root only.
+
+Signed-off-by: Julien Rische <jrische@redhat.com>
+---
+ systemd/gssproxy.service.in | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/systemd/gssproxy.service.in b/systemd/gssproxy.service.in
+index 0db9a9d..9b8c45a 100644
+--- a/systemd/gssproxy.service.in
++++ b/systemd/gssproxy.service.in
+@@ -6,6 +6,7 @@ Before=rpc-gssd.service
+
+ [Service]
+ StateDirectory=gssproxy/clients gssproxy/rcache
++StateDirectoryMode=0700
+ Environment=KRB5RCACHEDIR=/var/lib/gssproxy/rcache
+ ExecStart=@sbindir@/gssproxy -D
+ # These two should be used with traditional UNIX forking daemons
+-- 
+2.43.0
+
diff --git a/gssproxy.spec b/gssproxy.spec
index adb9374aee1acad1142d7968ad7828bcdd222950..279faf76d19add2afababa00a19e5fa1dcc4b908 100644
--- a/gssproxy.spec
+++ b/gssproxy.spec
@@ -7,7 +7,7 @@
 
 Name:		gssproxy
 Version:	0.9.2
-Release:	4
+Release:	5
 Summary:	GSSAPI Proxy
 License:	MIT
 URL:		https://github.com/gssapi/gssproxy
@@ -15,6 +15,7 @@ Source0:	https://github.com/gssapi/%{name}/releases/download/v%{version}/%{name}
 
 Patch1:    backport-Remove-from-the-correct-list.patch
 Patch2:    backport-Fix-various-issues-detected-by-static-analysis.patch
+Patch3:    backport-Make-systemd-use-0700-mode-on-cache-folders.patch
 
 Requires: krb5 keyutils libverto-module-base libini_config
 %{?systemd_requires}
@@ -107,6 +108,9 @@ mkdir -p %{buildroot}%{gpstatedir}/rcache
 %{_mandir}/man8/gssproxy-mech.8*
 
 %changelog
+* Fri Oct 31 2025 yixiangzhike <yixiangzhike007@163.com> - 0.9.2-5
+- make systemd use 0700 mode on cache folders
+
 * Thu Sep 25 2025 yixiangzhike <yixiangzhike007@163.com> - 0.9.2-4
 - backport upstream patch to fix various issues detected by static analysis