diff --git a/lib/tbot/config/destination_directory.go b/lib/tbot/config/destination_directory.go
index 1020a2bab9f14..0bf453791627f 100644
--- a/lib/tbot/config/destination_directory.go
+++ b/lib/tbot/config/destination_directory.go
@@ -17,7 +17,9 @@ limitations under the License.
 package config
 
 import (
+	"errors"
 	"fmt"
+	"io/fs"
 	"os"
 	"os/user"
 	"path"
@@ -121,11 +123,18 @@ func mkdir(p string) error {
 	stat, err := os.Stat(p)
 	if trace.IsNotFound(err) {
 		if err := os.MkdirAll(p, botfs.DefaultDirMode); err != nil {
+			if errors.Is(err, fs.ErrPermission) {
+				return trace.Wrap(err, "Teleport does not have permission to write to %v. Ensure that you are running as a user with appropriate permissions.", p)
+			}
 			return trace.Wrap(err)
 		}
 
 		log.Infof("Created directory %q", p)
 	} else if err != nil {
+		// this can occur if we are unable to read the data dir
+		if errors.Is(err, fs.ErrPermission) {
+			return trace.Wrap(err, "Teleport does not have permission to access: %v. Ensure that you are running as a user with appropriate permissions.", p)
+		}
 		return trace.Wrap(err)
 	} else if !stat.IsDir() {
 		return trace.BadParameter("Path %q already exists and is not a directory", p)
diff --git a/tool/tctl/common/tctl.go b/tool/tctl/common/tctl.go
index c42d76a3b4948..d916e7a48af92 100644
--- a/tool/tctl/common/tctl.go
+++ b/tool/tctl/common/tctl.go
@@ -282,9 +282,13 @@ func applyConfig(ccf *GlobalCLIFlags, cfg *service.Config) (*authclient.Config,
 		cfg.HostUUID, err = utils.ReadHostUUID(cfg.DataDir)
 		if err != nil {
 			if errors.Is(err, fs.ErrNotExist) {
-				return nil, trace.Wrap(err, fmt.Sprintf("Could not load Teleport host UUID file at %s. "+
+				return nil, trace.Wrap(err, "Could not load Teleport host UUID file at %s. "+
 					"Please make sure that Teleport is up and running prior to using tctl.",
-					filepath.Join(cfg.DataDir, utils.HostUUIDFile)))
+					filepath.Join(cfg.DataDir, utils.HostUUIDFile))
+			} else if errors.Is(err, fs.ErrPermission) {
+				return nil, trace.Wrap(err, "Teleport does not have permission to read Teleport host UUID file at %s. "+
+					"Ensure that you are running as a user with appropriate permissions.",
+					filepath.Join(cfg.DataDir, utils.HostUUIDFile))
 			}
 			return nil, trace.Wrap(err)
 		}