diff --git a/boot/boot-stage-2-init.sh b/boot/boot-stage-2-init.sh
index 5ad85bea27e..262412c9eb4 100644
--- a/boot/boot-stage-2-init.sh
+++ b/boot/boot-stage-2-init.sh
@@ -135,7 +135,7 @@ EOF
 
 
 # Additional path for the interactive shell.
-PATH=@fullPath@/bin:@fullPath@/sbin
+PATH=@wrapperDir@:@fullPath@/bin:@fullPath@/sbin
 
 cat > /etc/profile <<EOF
 export PATH=$PATH
@@ -152,6 +152,19 @@ fi
 EOF
 
 
+# Make a few setuid programs work.
+wrapperDir=@wrapperDir@
+if test -d $wrapperDir; then rm -f $wrapperDir/*; fi
+mkdir -p $wrapperDir
+for i in passwd su; do
+    program=$(type -tp $i)
+    cp $(type -tp setuid-wrapper) $wrapperDir/$i
+    echo -n $program > $wrapperDir/$i.real
+    chown root.root $wrapperDir/$i
+    chmod 4755 $wrapperDir/$i
+done
+
+
 # Set the host name.
 hostname @hostName@
 
diff --git a/boot/boot-stage-2.nix b/boot/boot-stage-2.nix
index 9c1640bc455..9e92194ded7 100644
--- a/boot/boot-stage-2.nix
+++ b/boot/boot-stage-2.nix
@@ -1,5 +1,5 @@
 { genericSubstituter, buildEnv, shell, coreutils, findutils
-, utillinux, kernel, udev, upstart
+, utillinux, kernel, udev, upstart, setuidWrapper
 , path ? []
 
 , # Whether the root device is root only.  If so, we'll mount a
@@ -20,6 +20,7 @@ let
     utillinux
     udev
     upstart
+    setuidWrapper
   ];
 
 in
@@ -40,6 +41,6 @@ genericSubstituter {
     pathsToLink = ["/bin" "/sbin" "/man/man1" "/share/man/man1"];
     ignoreCollisions = true;
   };
-  
-  extraPath = path;
+
+  wrapperDir = setuidWrapper.wrapperDir;
 }
diff --git a/configuration/boot-environment.nix b/configuration/boot-environment.nix
index 885c994eea7..34c9a73079f 100644
--- a/configuration/boot-environment.nix
+++ b/configuration/boot-environment.nix
@@ -179,11 +179,18 @@ rec {
   };
 
 
+  setuidWrapper = import ../helpers/setuid {
+    inherit (pkgs) stdenv;
+    wrapperDir = "/var/setuid-wrappers";
+  };
+
+
   # The init script of boot stage 2, which is supposed to do
   # everything else to bring up the system.
   bootStage2 = import ../boot/boot-stage-2.nix {
     inherit (pkgs) genericSubstituter buildEnv coreutils findutils
       utillinux kernel udev upstart;
+    inherit setuidWrapper;
     inherit upstartJobs;
     shell = pkgs.bash + "/bin/sh";
 
diff --git a/helpers/setuid/builder.sh b/helpers/setuid/builder.sh
new file mode 100644
index 00000000000..f9e13b1115c
--- /dev/null
+++ b/helpers/setuid/builder.sh
@@ -0,0 +1,5 @@
+source $stdenv/setup
+
+ensureDir $out/bin
+
+gcc -Wall -O2 -DWRAPPER_DIR=\"$wrapperDir\" $setuidWrapper -o $out/bin/setuid-wrapper
diff --git a/helpers/setuid/default.nix b/helpers/setuid/default.nix
new file mode 100644
index 00000000000..412b5ed2208
--- /dev/null
+++ b/helpers/setuid/default.nix
@@ -0,0 +1,8 @@
+{stdenv, wrapperDir}:
+
+stdenv.mkDerivation {
+  name = "setuid-wrapper";
+  builder = ./builder.sh;
+  setuidWrapper = ./setuid-wrapper.c;
+  inherit wrapperDir;
+}
\ No newline at end of file
diff --git a/helpers/setuid/setuid-wrapper.c b/helpers/setuid/setuid-wrapper.c
index 04923896d4e..805ede7e2dd 100644
--- a/helpers/setuid/setuid-wrapper.c
+++ b/helpers/setuid/setuid-wrapper.c
@@ -9,7 +9,7 @@
 
 extern char **environ;
 
-static char * wrapperDir = "/home/root/nixos/helpers/setuid";
+static char * wrapperDir = WRAPPER_DIR;
 
 int main(int argc, char * * argv)
 {