diff --git a/apps/common/utils/tool_code.py b/apps/common/utils/tool_code.py
index 34eb2e130..bc97edd25 100644
--- a/apps/common/utils/tool_code.py
+++ b/apps/common/utils/tool_code.py
@@ -36,6 +36,8 @@ class ToolExecutor:
         if ToolExecutor._dir_initialized:
             # 只初始化一次
             return
+        if self.sandbox:
+            os.chmod("/dev/shm", 0o707)
         if CONFIG.get("SANDBOX_TMP_DIR_ENABLED", '0') == "1":
             tmp_dir_path = os.path.join(self.sandbox_path, 'tmp')
             os.makedirs(tmp_dir_path, 0o700, exist_ok=True)
diff --git a/installer/Dockerfile-base b/installer/Dockerfile-base
index b56de9134..643b1b733 100644
--- a/installer/Dockerfile-base
+++ b/installer/Dockerfile-base
@@ -30,7 +30,7 @@ RUN ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && \
     chmod g-xr /usr/local/bin/* /usr/bin/* /bin/* /usr/sbin/* /sbin/* /usr/lib/postgresql/17/bin/* && \
     chmod g+xr /usr/bin/ld.so && \
     chmod g+x /usr/local/bin/python* && \
-    chmod -R g-rwx /tmp /var/tmp /dev/shm /var/lock && \
+    chmod -R g-rwx /tmp /var/tmp /dev/mqueue /var/lock /var/lib/postgresql && \
     apt-get clean all && \
     rm -rf /var/lib/apt/lists/* /usr/share/doc/* /usr/share/man/* /usr/share/info/* /usr/share/locale/* /usr/share/lintian/* /usr/share/linda/* /var/cache/* /var/log/* /var/tmp/* /tmp/*
 COPY --from=vector-model --chmod=700 /opt/maxkb-app/model /opt/maxkb-app/model