diff --git a/apps/dashboard/config/configuration_singleton.rb b/apps/dashboard/config/configuration_singleton.rb
index 68ecff732..174d4c5b4 100644
--- a/apps/dashboard/config/configuration_singleton.rb
+++ b/apps/dashboard/config/configuration_singleton.rb
@@ -435,7 +435,10 @@ def can_access_core_app?(name)
 
   def read_config
     files = Pathname.glob(config_directory.join("*.{yml,yaml,yml.erb,yaml.erb}"))
-    files.sort.each_with_object({}) do |f, conf|
+    files.sort.select do |f|
+      # only resond to root owned files in production.
+      rails_env == 'production' ? File.stat(f).uid.zero? : true
+    end.each_with_object({}) do |f, conf|
       begin
         content = ERB.new(f.read, trim_mode: "-").result(binding)
         yml = YAML.safe_load(content, aliases: true) || {}