diff --git a/modules/security/pam.nix b/modules/security/pam.nix
index 5c59282fe8a0..a5491792f7ef 100644
--- a/modules/security/pam.nix
+++ b/modules/security/pam.nix
@@ -191,7 +191,7 @@ in
   ###### implementation
 
   config = {
-  
+
     environment.systemPackages =
       # Include the PAM modules in the system path mostly for the manpages.
       [ pkgs.pam ]
@@ -205,6 +205,14 @@ in
           target = "pam.d/other";
         };
 
+    security.setuidOwners = [ {
+      program = "unix_chkpwd";
+      source = "${pkgs.pam}/sbin/unix_chkpwd.orig";
+      owner = "root";
+      setuid = true;
+    } ];
+
+
     security.pam.services =
       # Most of these should be moved to specific modules.
       [ { name = "cups"; }
@@ -217,5 +225,5 @@ in
       ];
 
   };
-  
+
 }
diff --git a/modules/security/setuid-wrappers.nix b/modules/security/setuid-wrappers.nix
index a7513477353a..3c4a08c16b70 100644
--- a/modules/security/setuid-wrappers.nix
+++ b/modules/security/setuid-wrappers.nix
@@ -62,7 +62,8 @@ in
       default = "/var/setuid-wrappers";
       description = ''
         This option defines the path to the setuid wrappers.  It
-        should generally not be overriden.
+        should generally not be overriden. Some packages in nixpkgs rely on
+        wrapperDir == /var/setuid-wrappers
       '';
     };