diff --git a/SOURCES/dont-set-hardcoded-umask.patch b/SOURCES/dont-set-hardcoded-umask.patch
new file mode 100644
index 0000000..9cf9a8c
--- /dev/null
+++ b/SOURCES/dont-set-hardcoded-umask.patch
@@ -0,0 +1,43 @@
+diff --git a/bashrc b/bashrc
+index d462ac7..b0740cb 100644
+--- a/bashrc
++++ b/bashrc
+@@ -65,15 +65,8 @@ if [ -z "$BASHRCSOURCED" ]; then
+         esac
+     }
+ 
+-    # By default, we want umask to get set. This sets it for non-login shell.
+-    # Current threshold for system reserved uid/gids is 200
+-    # You could check uidgid reservation validity in
+-    # /usr/share/doc/setup-*/uidgid file
+-    if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then
+-       umask 002
+-    else
+-       umask 022
+-    fi
++    # Set default umask for non-login shell only if it is set to 0
++    [ `umask` -eq 0 ] && umask 022
+ 
+     SHELL=/bin/bash
+     # Only display echos from profile.d scripts if we are no login shell
+diff --git a/csh.cshrc b/csh.cshrc
+index eda4aa7..8f169a1 100644
+--- a/csh.cshrc
++++ b/csh.cshrc
+@@ -2,14 +2,8 @@
+ #
+ # csh configuration for all shell invocations.
+ 
+-# By default, we want this to get set.
+-# Even for non-interactive, non-login shells.
+-# Current threshold for system reserved uid/gids is 200
+-# You could check uidgid reservation validity in
+-# /usr/share/doc/setup-*/uidgid file
+-if ($uid > 199 && "`/usr/bin/id -gn`" == "`/usr/bin/id -un`") then
+-    umask 002
+-else
++# Set default umask for non-login shell only if it is set to 0
++if ( `umask` == 0 ) then
+     umask 022
+ endif
+ 
diff --git a/SPECS/setup.spec b/SPECS/setup.spec
index 6487b8a..14a731c 100644
--- a/SPECS/setup.spec
+++ b/SPECS/setup.spec
@@ -1,7 +1,7 @@
 Summary: A set of system configuration and setup files
 Name: setup
 Version: 2.13.7
-Release: 7%{?dist}
+Release: 9%{?dist}
 License: Public Domain
 Group: System Environment/Base
 URL: https://pagure.io/setup/
@@ -18,6 +18,7 @@ Conflicts: initscripts < 4.26, bash <= 2.0.4-21
 Patch0:    setup-hostname.patch
 Patch1:    csh.login-unset-p.patch
 Patch2:    bashrc-remove-VTE-specific-PROMPT_COMMAND.patch
+Patch3:    dont-set-hardcoded-umask.patch
 
 %description
 The setup package contains a set of important system configuration and
@@ -67,6 +68,13 @@ rm -f %{buildroot}/etc/shadowconvert.sh
 rm -f %{buildroot}/etc/setup.spec
 rm -rf %{buildroot}/etc/contrib
 
+# make setup a protected package
+install -p -d -m 755 %{buildroot}/etc/dnf/protected.d/
+touch %{name}.conf
+echo setup > %{name}.conf
+install -p -c -m 0644 %{name}.conf %{buildroot}/etc/dnf/protected.d/
+rm -f %{name}.conf
+
 #throw away useless and dangerous update stuff until rpm will be able to
 #handle it ( http://rpm.org/ticket/6 )
 %post -p <lua>
@@ -115,8 +123,15 @@ end
 %config(noreplace) %verify(not md5 size mtime) /etc/shells
 %ghost %verify(not md5 size mtime) %config(noreplace,missingok) /etc/fstab
 %{_tmpfilesdir}/%{name}.conf
+/etc/dnf/protected.d/%{name}.conf
 
 %changelog
+* Wed Dec 21 2022 Martin Osvald <mosvald@redhat.com> - 2.13.7-9
+- make setup protected package (#2155529)
+
+* Thu Nov 24 2022 Martin Osvald <mosvald@redhat.com> - 2.13.7-8
+- Set default umask for non-login shell only if it is set to 0 (#2062601)
+
 * Mon May 09 2022 Martin Osvald <mosvald@redhat.com> - 2.13.7-7
 - Move /var/log/lastlog ownership to systemd (#2066753)
 - tcsh sets variable p to /usr/sbin from /etc/csh.login (#2066767)