diff --git a/hosts/common/programs/networkmanager.nix b/hosts/common/programs/networkmanager.nix
index 85d8c0b5..dbfe5089 100644
--- a/hosts/common/programs/networkmanager.nix
+++ b/hosts/common/programs/networkmanager.nix
@@ -73,8 +73,8 @@ in
         path = [ "/run/current-system/sw" ];  #< so it can find `sanebox`
         serviceConfig.RuntimeDirectory = "NetworkManager";  #< tells systemd to create /run/NetworkManager
         serviceConfig.StateDirectory = "NetworkManager";  #< tells systemd to create /var/lib/NetworkManager
-        # serviceConfig.User = "networkmanager";
-        # serviceConfig.Group = "networkmanager";
+        serviceConfig.User = "networkmanager";
+        serviceConfig.Group = "networkmanager";
         serviceConfig.AmbientCapabilities = [
           # "CAP_DAC_OVERRIDE"
           "CAP_NET_ADMIN"
@@ -89,8 +89,8 @@ in
       systemd.services.NetworkManager-wait-online = {
         path = [ "/run/current-system/sw" ];  #< so `nm-online` can find `sanebox`
         wantedBy = [ "network-online.target" ];
-        # serviceConfig.User = "networkmanager";
-        # serviceConfig.Group = "networkmanager";
+        serviceConfig.User = "networkmanager";
+        serviceConfig.Group = "networkmanager";
       };
 
       systemd.services.NetworkManager-dispatcher = {
@@ -104,8 +104,8 @@ in
         ];
         serviceConfig.Restart = "always";
         serviceConfig.RestartSec = "1s";
-        # serviceConfig.User = "networkmanager";
-        # serviceConfig.Group = "networkmanager";
+        serviceConfig.User = "networkmanager";
+        serviceConfig.Group = "networkmanager";
       };
 
       environment.etc = {
diff --git a/hosts/common/programs/wpa_supplicant.nix b/hosts/common/programs/wpa_supplicant.nix
index e0cae35b..c3ec64c8 100644
--- a/hosts/common/programs/wpa_supplicant.nix
+++ b/hosts/common/programs/wpa_supplicant.nix
@@ -27,7 +27,11 @@ in
             rm $out/etc/systemd/system/{wpa_supplicant-nl80211@,wpa_supplicant-wired@,wpa_supplicant@}.service
           '';
         });
-        sandbox.method = "bwrap";  #< landlock works too, even allows us to be a different user than root if we want (bwrap probably requires root)
+        # bwrap sandboxing works, but requires the real user to be root.
+        # landlock sandboxing works, and allows the real user to be someone else (like `networkmanager`).
+        # non-root is very important, because of how many things in e.g. /dev are r/w based on uid=0.
+        # sandbox.method = "bwrap";
+        sandbox.method = "landlock";
         sandbox.capabilities = [
           # see also: <https://github.com/NixOS/nixpkgs/pull/305722>
           "net_admin" "net_raw"
@@ -49,8 +53,8 @@ in
       systemd.packages = [ cfg.package ];  #< needs to be on systemd.packages so we get its service file
       systemd.services.wpa_supplicant = {
         path = [ "/run/current-system/sw" ];  #< so it can find `sanebox`
-        # serviceConfig.User = "networkmanager";
-        # serviceConfig.Group = "networkmanager";
+        serviceConfig.User = "networkmanager";
+        serviceConfig.Group = "networkmanager";
         serviceConfig.AmbientCapabilities = [
           "CAP_NET_ADMIN"
           "CAP_NET_RAW"