diff --git a/snapcraft.yaml b/snapcraft.yaml
index d60d9bfcc..699d72ddd 100644
--- a/snapcraft.yaml
+++ b/snapcraft.yaml
@@ -70,7 +70,7 @@ parts:
 
     source: https://git.launchpad.net/curtin
     source-type: git
-    source-commit: 64ea5fbe827aa98ddc63ea87de2de45689180c82
+    source-commit: 7c18bf6a24297ed465a341a1f53875b61c878d6b
 
     override-pull: |
       craftctl default
diff --git a/subiquity/common/api/server.py b/subiquity/common/api/server.py
index 3e70ccf20..dd4b6840b 100644
--- a/subiquity/common/api/server.py
+++ b/subiquity/common/api/server.py
@@ -221,7 +221,7 @@ def bind(router, endpoint, controller, serializer=None, _depth=None):
 async def make_server_at_path(socket_path, endpoint, controller, **kw):
     app = web.Application(**kw)
     bind(app.router, endpoint, controller)
-    runner = web.AppRunner(app)
+    runner = web.AppRunner(app, access_log=None)
     await runner.setup()
     site = web.UnixSite(runner, socket_path)
     await site.start()
diff --git a/subiquity/server/controllers/network.py b/subiquity/server/controllers/network.py
index e69db944c..00f90094b 100644
--- a/subiquity/server/controllers/network.py
+++ b/subiquity/server/controllers/network.py
@@ -310,7 +310,8 @@ def update_has_default_route(self, has_default_route):
 
     def _send_update(self, act, dev):
         with self.context.child("_send_update", "{} {}".format(act.name, dev.name)):
-            log.debug("dev_info {} {}".format(dev.name, dev.config))
+            # disable log - can contain PSK
+            # log.debug("dev_info {} {}".format(dev.name, dev.config))
             dev_info = dev.netdev_info()
             self._call_clients("update_link", act, dev_info)
 
diff --git a/subiquity/server/server.py b/subiquity/server/server.py
index 1cadce595..3d4bd0348 100644
--- a/subiquity/server/server.py
+++ b/subiquity/server/server.py
@@ -497,7 +497,7 @@ async def start_api_server(self):
             bind(app.router, API.dry_run, DryRunController(self))
         for controller in self.controllers.instances:
             controller.add_routes(app)
-        runner = web.AppRunner(app, keepalive_timeout=0xFFFFFFFF)
+        runner = web.AppRunner(app, keepalive_timeout=0xFFFFFFFF, access_log=None)
         await runner.setup()
         await self.start_site(runner)
 
diff --git a/subiquitycore/file_util.py b/subiquitycore/file_util.py
index 25701a9c4..c1e48e504 100644
--- a/subiquitycore/file_util.py
+++ b/subiquitycore/file_util.py
@@ -23,8 +23,8 @@
 
 import yaml
 
-_DEF_PERMS_FILE = 0o640
-_DEF_GROUP = "adm"
+_DEF_PERMS_FILE = 0o600
+_DEF_GROUP = "root"
 
 log = logging.getLogger("subiquitycore.file_util")
 
diff --git a/subiquitycore/log.py b/subiquitycore/log.py
index 36a54f978..10a99126a 100644
--- a/subiquitycore/log.py
+++ b/subiquitycore/log.py
@@ -23,7 +23,7 @@ def setup_logger(dir, base="subiquity"):
     os.makedirs(dir, exist_ok=True)
     # Create the log directory in such a way that users in the group may
     # write to this directory in the installation environment.
-    set_log_perms(dir, group_write=True)
+    set_log_perms(dir, mode=0o700)
 
     logger = logging.getLogger("")
     logger.setLevel(logging.DEBUG)