diff --git a/roles/copr/backend/tasks/setup_provisioning_environment.yml b/roles/copr/backend/tasks/setup_provisioning_environment.yml
index 2a2a70f285..94ce4c47ff 100644
--- a/roles/copr/backend/tasks/setup_provisioning_environment.yml
+++ b/roles/copr/backend/tasks/setup_provisioning_environment.yml
@@ -9,14 +9,12 @@
 
 # Warning: this file is included also from copr-hv playbook(s), so keep the
 # source file arguments absolute (not relative to this role)
-- name: Sync copr provisioning files
+- name: rsync copr provisioning files
   synchronize:
     src: "{{ roles_path }}/copr/backend/files/provision/"
     dest: "{{ provision_directory }}/"
     rsync_opts:
       - "--chown={{ provision_user }}:{{ provision_user }}"
-      - "--chmod=D700,F600"
-      - "--chmod=a+X"
   tags:
   - provision_config
 
@@ -25,6 +23,8 @@
     src: "{{ roles_path }}/copr/backend/files/provision/files/mock/"
     dest: "{{ provision_directory }}/files/mock/"
     delete: yes
+    rsync_opts:
+      - "--chown={{ provision_user }}:{{ provision_user }}"
   tags:
   - provision_config
 
@@ -103,3 +103,18 @@
     mode: "0600"
   tags:
   - provision_config
+
+- name: fix perms for copr provisioning files
+  ansible.builtin.file:
+    path: "{{ provision_directory }}"
+    owner: "{{ provision_user }}"
+    group: "{{ provision_user }}"
+    # The mode 'u=rwX,g=,o=' achieves the required complex permissions:
+    # - u=rw: Base 600 permissions for owner.
+    # - X: Adds executable bit only if path is a directory (700) or was already executable (700).
+    # - g=,o=: Explicitly removes permissions from group and others (resulting in D700/F600).
+    mode: 'u=rwX,g=,o='
+    state: directory
+    recurse: yes
+  tags:
+    - provision_config