diff --git a/pkgs/os-specific/linux/shadow/default.nix b/pkgs/os-specific/linux/shadow/default.nix
index 9ba8984bb032..96dfd3b4bd8f 100644
--- a/pkgs/os-specific/linux/shadow/default.nix
+++ b/pkgs/os-specific/linux/shadow/default.nix
@@ -1,6 +1,7 @@
 { lib, stdenv, nixosTests, fetchpatch, fetchFromGitHub, autoreconfHook, libxslt
 , libxml2 , docbook_xml_dtd_45, docbook_xsl, itstool, flex, bison, runtimeShell
 , libxcrypt, pam ? null, glibcCross ? null
+, withTcb ? stdenv.isLinux, tcb
 }:
 
 let
@@ -24,7 +25,8 @@ stdenv.mkDerivation rec {
   };
 
   buildInputs = [ libxcrypt ]
-    ++ lib.optional (pam != null && stdenv.isLinux) pam;
+    ++ lib.optional (pam != null && stdenv.isLinux) pam
+    ++ lib.optional withTcb tcb;
   nativeBuildInputs = [autoreconfHook libxslt libxml2
     docbook_xml_dtd_45 docbook_xsl flex bison itstool
     ];
@@ -34,6 +36,7 @@ stdenv.mkDerivation rec {
     # Obtain XML resources from XML catalog (patch adapted from gtk-doc)
     ./respect-xml-catalog-files-var.patch
     ./runtime-shell.patch
+    ./fix-install-with-tcb.patch
     # Fix HAVE_SHADOWGRP configure check
     (fetchpatch {
       url = "https://github.com/shadow-maint/shadow/commit/a281f241b592aec636d1b93a99e764499d68c7ef.patch";
@@ -64,7 +67,8 @@ stdenv.mkDerivation rec {
     "--with-group-name-max-length=32"
     "--with-bcrypt"
     "--with-yescrypt"
-  ] ++ lib.optional (stdenv.hostPlatform.libc != "glibc") "--disable-nscd";
+  ] ++ lib.optional (stdenv.hostPlatform.libc != "glibc") "--disable-nscd"
+    ++ lib.optional withTcb "--with-tcb";
 
   preBuild = lib.optionalString (stdenv.hostPlatform.libc == "glibc")
     ''
diff --git a/pkgs/os-specific/linux/shadow/fix-install-with-tcb.patch b/pkgs/os-specific/linux/shadow/fix-install-with-tcb.patch
new file mode 100644
index 000000000000..ff6166b92f1d
--- /dev/null
+++ b/pkgs/os-specific/linux/shadow/fix-install-with-tcb.patch
@@ -0,0 +1,28 @@
+diff --git a/src/Makefile.am b/src/Makefile.am
+index a1a2e4e..fa17f9d 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -74,10 +74,6 @@ suidubins += newgidmap newuidmap
+ endif
+ endif
+ 
+-if WITH_TCB
+-shadowsgidubins = passwd
+-endif
+-
+ LDADD          = $(INTLLIBS) \
+ 		 $(top_builddir)/libmisc/libmisc.la \
+ 		 $(top_builddir)/lib/libshadow.la \
+@@ -146,12 +142,6 @@ install-am: all-am
+ 	set -e; for i in $(suidusbins); do \
+ 		chmod $(suidperms) $(DESTDIR)$(usbindir)/$$i; \
+ 	done
+-if WITH_TCB
+-	set -e; for i in $(shadowsgidubins); do \
+-		chown root:shadow $(DESTDIR)$(ubindir)/$$i; \
+-		chmod $(sgidperms) $(DESTDIR)$(ubindir)/$$i; \
+-	done
+-endif
+ if ENABLE_SUBIDS
+ if FCAPS
+ 	setcap cap_setuid+ep $(DESTDIR)$(ubindir)/newuidmap