diff --git a/modules/programs/pwdutils/login.defs b/modules/programs/pwdutils/login.defs
index a310ca5af5a..98610a88ca8 100644
--- a/modules/programs/pwdutils/login.defs
+++ b/modules/programs/pwdutils/login.defs
@@ -12,3 +12,7 @@ GID_MAX                 29999
 
 TTYGROUP  tty
 TTYPERM   0620
+
+# Uncomment this to allow non-root users to change their account
+#information.  This should be made configurable.
+#CHFN_RESTRICT frwh
diff --git a/modules/security/pam.nix b/modules/security/pam.nix
index fd1aae65ac9..0ee7595a5e1 100644
--- a/modules/security/pam.nix
+++ b/modules/security/pam.nix
@@ -204,6 +204,7 @@ in
         { name = "sshd"; }
         { name = "xlock"; }
         { name = "chsh"; rootOK = true; }
+        { name = "chfn"; rootOK = true; }
         { name = "su"; rootOK = true; forwardXAuth = true; }
         # Note: useradd, groupadd etc. aren't setuid root, so it
         # doesn't really matter what the PAM config says as long as it
diff --git a/modules/security/setuid-wrappers.nix b/modules/security/setuid-wrappers.nix
index 510c99b2f58..aa85ee20dc9 100644
--- a/modules/security/setuid-wrappers.nix
+++ b/modules/security/setuid-wrappers.nix
@@ -74,7 +74,7 @@ in
   config = {
 
     security.setuidPrograms =
-      [ "passwd" "su" "crontab" "ping" "ping6"
+      [ "passwd" "chfn" "su" "crontab" "ping" "ping6"
         "fusermount" "wodim" "cdrdao" "growisofs"
       ];