diff --git a/nixos/modules/programs/shadow.nix b/nixos/modules/programs/shadow.nix
index c5a503180266..d497b6621130 100644
--- a/nixos/modules/programs/shadow.nix
+++ b/nixos/modules/programs/shadow.nix
@@ -101,9 +101,15 @@ in
         chpasswd = { rootOK = true; };
       };
 
-    security.setuidPrograms = [
-      "su" "chfn" "newuidmap" "newgidmap"
-      ] ++ lib.optionals config.users.mutableUsers
-      [ "passwd" "sg" "newgrp" ];
+    security.wrappers = {
+      su.source        = "${pkgs.shadow.su}/bin/su";
+      chfn.source      = "${pkgs.shadow.out}/bin/chfn";
+      newuidmap.source = "${pkgs.shadow.out}/bin/newuidmap";
+      newgidmap.source = "${pkgs.shadow.out}/bin/newgidmap";
+    } // (lib.mkIf config.users.mutableUsers {
+      passwd.source    = "${pkgs.shadow.out}/bin/passwd";
+      sg.source        = "${pkgs.shadow.out}/bin/sg";
+      newgrp.source    = "${pkgs.shadow.out}/bin/newgrp";
+    });
   };
 }