diff --git a/nixos/lib/make-disk-image.nix b/nixos/lib/make-disk-image.nix
index d67ca0e527e..b12cf68fd36 100644
--- a/nixos/lib/make-disk-image.nix
+++ b/nixos/lib/make-disk-image.nix
@@ -129,6 +129,9 @@ let format' = format; in let
     # TODO: Nix really likes to chown things it creates to its current user...
     fakeroot nixos-prepare-root $root ${channelSources} ${config.system.build.toplevel} closure
 
+    # fakeroot seems to always give the owner write permissions, which we do not want
+    find $root/nix/store -mindepth 1 -maxdepth 1 -type f -o -type d -exec chmod -R a-w '{}' \;
+
     echo "copying staging root to image..."
     cptofs ${optionalString partitioned "-P 1"} -t ${fsType} -i $diskImage $root/* /
   '';