diff --git a/modules/misc/ids.nix b/modules/misc/ids.nix
index 52a518add3a..87a73832a59 100644
--- a/modules/misc/ids.nix
+++ b/modules/misc/ids.nix
@@ -57,6 +57,7 @@ in
     wheel = 1;
     kmem = 2;
     tty = 3;
+    messagebus = 4; # D-Bus
     haldaemon = 5;
     disk = 6;
     vsftpd = 7;
diff --git a/modules/services/system/dbus.nix b/modules/services/system/dbus.nix
index 9dc6bd9d78b..66feb6d46f4 100644
--- a/modules/services/system/dbus.nix
+++ b/modules/services/system/dbus.nix
@@ -7,16 +7,27 @@ let
 
   cfg = config.services.dbus;
 
-  inherit (pkgs) dbus;
+  # !!! dbus_temp uses /etc/dbus-1; will be merged into pkgs.dbus later.
+  dbus = pkgs.dbus_temp;
 
   homeDir = "/var/run/dbus";
 
-  configFile = pkgs.stdenv.mkDerivation {
+  configDir = pkgs.stdenv.mkDerivation {
     name = "dbus-conf";
     buildCommand = ''
       ensureDir $out
-      ln -s ${dbus}/etc/dbus-1/system.conf $out/system.conf
+      
+      cp ${dbus}/etc/dbus-1/system.conf $out/system.conf
 
+      # Tell the daemon where the setuid wrapper around
+      # dbus-daemon-launch-helper lives.      
+      sed -i $out/system.conf \
+          -e 's|<servicehelper>.*/libexec/dbus-daemon-launch-helper|<servicehelper>${config.security.wrapperDir}/dbus-daemon-launch-helper|'
+
+      # Add the system-services directories to the daemon's search path.
+      sed -i $out/system.conf \
+          -e 's|<standard_system_servicedirs/>|${systemServiceDirs}|'
+          
       # Note: system.conf includes ./system.d (i.e. it has a relative,
       # not absolute path).
       ensureDir $out/system.d
@@ -26,6 +37,10 @@ let
     ''; # */
   };
 
+  systemServiceDirs = concatMapStrings
+    (d: "<servicedir>${d}/share/dbus-1/system-services</servicedir> ")
+    cfg.packages;
+
 in
 
 {
@@ -67,11 +82,26 @@ in
 
     environment.systemPackages = [dbus.daemon dbus.tools];
 
+    environment.etc = singleton
+      # We need /etc/dbus-1/system.conf for now, because
+      # dbus-daemon-launch-helper is called with an empty environment
+      # and no arguments.  So we have no way to tell it the location
+      # of our config file.
+      { source = configDir;
+        target = "dbus-1";
+      };
+
     users.extraUsers = singleton
       { name = "messagebus";
         uid = config.ids.uids.messagebus;
         description = "D-Bus system message bus daemon user";
         home = homeDir;
+        group = "messagebus";
+      };
+
+    users.extraGroups = singleton
+      { name = "messagebus";
+        gid = config.ids.gids.messagebus;
       };
 
     jobs = singleton
@@ -92,7 +122,7 @@ in
             # !!! hack - dbus should be running once this job is
             # considered "running"; should be fixable once we have
             # Upstart 0.6.
-            ${dbus}/bin/dbus-daemon --config-file=${configFile}/system.conf
+            ${dbus}/bin/dbus-daemon --config-file=${configDir}/system.conf
           '';
 
         postStop =
@@ -104,6 +134,16 @@ in
           '';
       };
 
+    security.setuidOwners = singleton
+      { program = "dbus-daemon-launch-helper";
+        source = "${dbus}/libexec/dbus-daemon-launch-helper";
+        owner = "root";
+        group = "messagebus";
+        setuid = true;
+        setgid = false;
+        permissions = "u+rx,g+rx,o-rx";
+      };
+
   };
  
 }