diff --git a/system/options.nix b/system/options.nix
index 64bee0fa878..05189dbd23b 100644
--- a/system/options.nix
+++ b/system/options.nix
@@ -639,7 +639,8 @@ in
         default = false;
         description = ''
           Whether to make /var/spool/at{jobs,spool} writeable 
-          by everyone (and sticky).
+          by everyone (and sticky).  This is normally not needed since
+          the `at' commands are setuid/setgid `atd'.
         '';
       };
     };
diff --git a/system/system.nix b/system/system.nix
index 08422d5bd2d..d4594a91b9c 100644
--- a/system/system.nix
+++ b/system/system.nix
@@ -302,7 +302,15 @@ rec {
         chmod u${if entry.setuid then "+" else "-"}s $wrapperDir/${entry.program} 
         chmod g${if entry.setgid then "+" else "-"}s $wrapperDir/${entry.program} 
       '') 
-      config.security.setuidOwners);
+      (config.security.setuidOwners ++
+
+       # The `at' commands must be setuid `atd' so they can access the files
+       # under `/etc/at', etc.
+       (if config.services.atd.enable
+        then (map (program: { inherit program; owner = "atd"; group = "atd";
+                             setuid = true; setgid = true; })
+                  [ "at" "atq" "atrm" ])
+        else [])));
   };
 
 
diff --git a/upstart-jobs/atd.nix b/upstart-jobs/atd.nix
index 8a775d0c5d7..310477d1994 100644
--- a/upstart-jobs/atd.nix
+++ b/upstart-jobs/atd.nix
@@ -48,7 +48,7 @@ start script
    if [ ! -f "$etcdir"/at.deny ]
    then
        touch "$etcdir"/at.deny && \
-       chown root:root "$etcdir"/at.deny && \
+       chown root:atd "$etcdir"/at.deny && \
        chmod 640 "$etcdir"/at.deny
    fi
    if [ ! -f "$jobdir"/.SEQ ]