diff --git a/modules/config/users-groups.nix b/modules/config/users-groups.nix
index 72d3e21f203..cb84117090b 100644
--- a/modules/config/users-groups.nix
+++ b/modules/config/users-groups.nix
@@ -90,6 +90,9 @@ let
           { name = "nixbld";
             gid = ids.gids.nixbld;
           }
+          { name = "utmp";
+            gid = ids.gids.utmp;
+          }
         ];
 
       addAttrs =
diff --git a/modules/misc/ids.nix b/modules/misc/ids.nix
index 87e2eacf911..041b0badd0e 100644
--- a/modules/misc/ids.nix
+++ b/modules/misc/ids.nix
@@ -87,6 +87,7 @@ in
     video = 26;
     dialout = 27;
     polkituser = 28;
+    utmp = 29;
     davfs2 = 31;
     privoxy = 32;
     disnix = 33;
diff --git a/modules/system/activation/activation-script.nix b/modules/system/activation/activation-script.nix
index 21c52abe49f..b87429008a5 100644
--- a/modules/system/activation/activation-script.nix
+++ b/modules/system/activation/activation-script.nix
@@ -79,7 +79,8 @@ let
       mkdir -m 0755 -p /var/run/console # for pam_console
 
       touch /var/run/utmp # must exist
-      chmod 644 /var/run/utmp
+      chgrp ${config.ids.gids.utmp} /var/run/utmp
+      chmod 664 /var/run/utmp
 
       mkdir -m 0755 -p /var/run/nix/current-load # for distributed builds
       mkdir -m 0700 -p /var/run/nix/remote-stores