diff --git a/libexec/nuageinit/nuage.lua b/libexec/nuageinit/nuage.lua
--- a/libexec/nuageinit/nuage.lua
+++ b/libexec/nuageinit/nuage.lua
@@ -56,6 +56,21 @@
 	os.exit(1)
 end
 
+local function chmod(path, mode)
+	local mode = tonumber(mode, 8)
+	local _, err, msg = sys_stat.chmod(path, mode)
+	if err then
+		errmsg("chmod(" .. path .. ", " .. mode .. ") failed: " .. msg)
+	end
+end
+
+local function chown(path, owner, group)
+	local _, err, msg = unistd.chown(path, owner, group)
+	if err then
+		errmsg("chown(" .. path .. ", " .. owner .. ", " .. group .. ") failed: " .. msg)
+	end
+end
+
 local function dirname(oldpath)
 	if not oldpath then
 		return nil
@@ -252,12 +267,12 @@
 	f:write(key .. "\n")
 	f:close()
 	if chownak then
-		sys_stat.chmod(ak_path, 384)
-		unistd.chown(ak_path, dirattrs.uid, dirattrs.gid)
+		chmod(ak_path, "0600")
+		chown(ak_path, dirattrs.uid, dirattrs.gid)
 	end
 	if chowndotssh then
-		sys_stat.chmod(dotssh_path, 448)
-		unistd.chown(dotssh_path, dirattrs.uid, dirattrs.gid)
+		chmod(dotssh_path, "0700")
+		chown(dotssh_path, dirattrs.uid, dirattrs.gid)
 	end
 end
 
@@ -296,10 +311,10 @@
 	end
 	f:close()
 	if chmodsudoers then
-		sys_stat.chmod(sudoers, 416)
+		chmod(sudoers, "0640")
 	end
 	if chmodsudoersd then
-		sys_stat.chmod(sudoers, 480)
+		chmod(sudoers, "0740")
 	end
 end
 
@@ -521,16 +536,14 @@
 	end
 	f:close()
 	if file.permissions then
-		-- convert from octal to decimal
-		local perm = tonumber(file.permissions, 8)
-		sys_stat.chmod(filepath, perm)
+		chmod(filepath, file.permissions)
 	end
 	if file.owner then
 		local owner, group = string.match(file.owner, "([^:]+):([^:]+)")
 		if not owner then
 			owner = file.owner
 		end
-		unistd.chown(filepath, owner, group)
+		chown(filepath, owner, group)
 	end
 	return true
 end
@@ -538,6 +551,8 @@
 local n = {
 	warn = warnmsg,
 	err = errmsg,
+	chmod = chmod,
+	chown = chown,
 	dirname = dirname,
 	mkdir_p = mkdir_p,
 	sethostname = sethostname,
diff --git a/libexec/nuageinit/nuageinit b/libexec/nuageinit/nuageinit
--- a/libexec/nuageinit/nuageinit
+++ b/libexec/nuageinit/nuageinit
@@ -7,7 +7,6 @@
 local nuage = require("nuage")
 local ucl = require("ucl")
 local yaml = require("lyaml")
-local sys_stat = require("posix.sys.stat")
 
 if #arg ~= 2 then
 	nuage.err("Usage: " .. arg[0] .. " <cloud-init-directory> (<config-2> | <nocloud>)", false)
@@ -157,7 +156,7 @@
 					sshkey:close()
 				end
 				if keytype == "private" then
-					sys_stat.chmod(path, 384)
+					nuage.chmod(path, "0600")
 				end
 			end
 		end
@@ -281,7 +280,7 @@
 	end
 	if f ~= nil then
 		f:close()
-		sys_stat.chmod(root .. "/var/cache/nuageinit/runcmds", 493)
+		nuage.chmod(root .. "/var/cache/nuageinit/runcmds", "0755")
 	end
 end
 
@@ -503,5 +502,5 @@
 	end
 elseif line:sub(1, 2) == "#!" then
 	-- delay for execution at rc.local time --
-	sys_stat.chmod(root .. "/var/cache/nuageinit/user_data", 493)
+	nuage.chmod(root .. "/var/cache/nuageinit/user_data", "0755")
 end