diff --git a/initscript b/initscript
index 5b311b9..a1b6e6f 100644
--- a/initscript
+++ b/initscript
@@ -2,7 +2,7 @@
 
 NODE_PATH=/usr/lib/node_modules
 LOGFILE=/var/log/rlgwebd.log
-CTLSOCKET=/var/run/rlgwebd.sock
+CTLSOCKET=/var/run/rlgwebd/rlgwebd.sock
 RLGWEBDJS=/usr/local/bin/rlgwebd
 
 export NODE_PATH
diff --git a/rlgwebd b/rlgwebd
index b5513be..3d520f7 100755
--- a/rlgwebd
+++ b/rlgwebd
@@ -15,7 +15,7 @@ var WebSocketServer = require("websocket").server;
 
 /* Default options */
 var rlgwebd_options = { 
-  control_socket: "/var/run/rlgwebd.sock",
+  control_socket: "/var/run/rlgwebd/rlgwebd.sock",
   port: 8080,
   chrootDir: "/var/dgl/",
   username: "rodney",
@@ -1266,6 +1266,21 @@ if (rlgwebd_options.use_https) {
     tls_options.ca = read_or_die(rlgwebd_options.cafile, "CA file");
 };
 
+/* Make sure the socket directory is secure. */
+var socket_dir = path.dirname(rlgwebd_options.control_socket);
+try {
+  fs.mkdirSync(socket_dir, 0o700);
+}
+catch (err) {
+  if (err.code == "EEXIST") {
+    fs.chownSync(socket_dir, 0, 0);
+    fs.chmodSync(socket_dir, 0o700);
+  }
+  else {
+    throw err;
+  }
+}
+
 /* Open the control socket before chrooting where it can't be found */
 var ctlServer = net.createServer(function (sock) {
   sock.on('data', consoleHandler);
diff --git a/rlgwebd-stop b/rlgwebd-stop
index 592134e..5e81ea1 100755
--- a/rlgwebd-stop
+++ b/rlgwebd-stop
@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 var net = require('net');
-var sockpath = "/var/run/rlgwebd.sock";
+var sockpath = "/var/run/rlgwebd/rlgwebd.sock";
 
 var sock = new net.Socket();
 
diff --git a/rlgwebd.conf b/rlgwebd.conf
index 220ef90..a2ccd44 100644
--- a/rlgwebd.conf
+++ b/rlgwebd.conf
@@ -3,7 +3,7 @@
 
 # These values are set by default:
 # Location of the socket for start/stop commands
-#control_socket = /var/run/rlgwebd.sock
+#control_socket = /var/run/rlgwebd/rlgwebd.sock
 # Port number to bind
 #port = 8080
 # Path to the dgamelaunch installation to chroot into