diff --git a/cmd/joj3/conf/conf.go b/cmd/joj3/conf/conf.go
index c3c0b03..ec411db 100644
--- a/cmd/joj3/conf/conf.go
+++ b/cmd/joj3/conf/conf.go
@@ -13,6 +13,7 @@ import (
 	"path/filepath"
 	"regexp"
 	"strings"
+	"syscall"
 
 	"github.com/go-git/go-git/v5"
 	"github.com/koding/multiconfig"
@@ -183,6 +184,19 @@ func GetConfPath(confRoot, confName, fallbackConfName, msg, tag string) (
 			return confPath, confStat, conventionalCommit, err
 		}
 	}
+	// Check file ownership
+	if stat, ok := confStat.Sys().(*syscall.Stat_t); ok {
+		uid := int(stat.Uid)
+		currentUid := os.Getuid()
+		if uid != 0 && uid != currentUid {
+			err = fmt.Errorf("insecure configuration file: owned by uid %d, expected 0 or %d", uid, currentUid)
+			slog.Error("insecure conf file", "path", confPath, "uid", uid, "expected_uid", currentUid)
+			return confPath, confStat, conventionalCommit, err
+		}
+	} else {
+		slog.Warn("could not determine file ownership, proceeding with caution", "path", confPath)
+	}
+
 	return confPath, confStat, conventionalCommit, err
 }
 
diff --git a/internal/executor/local/meta.go b/internal/executor/local/meta.go
index 0e6fadf..ed8e09b 100644
--- a/internal/executor/local/meta.go
+++ b/internal/executor/local/meta.go
@@ -3,12 +3,18 @@
 // used for passing run time parameters.
 package local
 
-import "github.com/joint-online-judge/JOJ3/internal/stage"
+import (
+	"os"
+
+	"github.com/joint-online-judge/JOJ3/internal/stage"
+)
 
 var name = "local"
 
 type Local struct{}
 
 func init() {
-	stage.RegisterExecutor(name, &Local{})
+	if os.Getenv("JOJ3_ENABLE_LOCAL_EXECUTOR") == "true" {
+		stage.RegisterExecutor(name, &Local{})
+	}
 }