diff --git a/docs/release-notes/release-notes-0.14.0.md b/docs/release-notes/release-notes-0.14.0.md
index 7261007cb..a752b1758 100644
--- a/docs/release-notes/release-notes-0.14.0.md
+++ b/docs/release-notes/release-notes-0.14.0.md
@@ -10,6 +10,19 @@
   `lightning.proto`](https://github.com/lightningnetwork/lnd/pull/5473) to fix
   a warning related to protobuf file name collisions.
 
+## Security 
+
+### Admin macaroon permissions
+
+The default file permissions of admin.macaroon were [changed from 0600 to
+0640](https://github.com/lightningnetwork/lnd/pull/5534). This makes it easier
+to allow other users to manage LND. This is safe on common Unix systems
+because they always create a new group for each user.
+
+If you use a strange system or changed group membership of the group running LND
+you may want to check your system to see if it introduces additional risk for
+you.
+
 # Build System
 
 * [A new pre-submit check has been
@@ -63,5 +76,6 @@ to make LNDs payment throughput (and latency) with better when using etcd.
 
 # Contributors (Alphabetical Order)
 * ErikEk
+* Martin Habovstiak
 * Zero-1729
 * Oliver Gugger
diff --git a/lnd.go b/lnd.go
index 873104b01..d883c92cc 100644
--- a/lnd.go
+++ b/lnd.go
@@ -57,6 +57,22 @@ import (
 	"github.com/lightningnetwork/lnd/watchtower/wtdb"
 )
 
+const (
+	// adminMacaroonFilePermissions is the file permission that is used for
+	// creating the admin macaroon file.
+	//
+	// Why 640 is safe:
+	// Assuming a reasonably secure Linux system, it will have a
+	// separate group for each user. E.g. a new user lnd gets assigned group
+	// lnd which nothing else belongs to. A system that does not do this is
+	// inherently broken already.
+	//
+	// Since there is no other user in the group, no other user can read
+	// admin macaroon unless the administrator explicitly allowed it. Thus
+	// there's no harm allowing group read.
+	adminMacaroonFilePermissions = 0640
+)
+
 // AdminAuthOptions returns a list of DialOptions that can be used to
 // authenticate with the RPC server with admin capabilities.
 // skipMacaroons=true should be set if we don't want to include macaroons with
@@ -1256,7 +1272,9 @@ func genMacaroons(ctx context.Context, svc *macaroons.Service,
 	if err != nil {
 		return err
 	}
-	if err = ioutil.WriteFile(admFile, admBytes, 0600); err != nil {
+
+	err = ioutil.WriteFile(admFile, admBytes, adminMacaroonFilePermissions)
+	if err != nil {
 		_ = os.Remove(admFile)
 		return err
 	}