diff --git a/hosts/common/polyunfill.nix b/hosts/common/polyunfill.nix
index d823c3a3..57df50ff 100644
--- a/hosts/common/polyunfill.nix
+++ b/hosts/common/polyunfill.nix
@@ -15,6 +15,11 @@
   };
 
   config = {
+    # from: <repo:nixos/nixpkgs:nixos/modules/security/pam.nix>
+    # removing this from /run/wrappers altogether is possible, but would require a full rebuild of pam
+    # (effectively a rebuild of the world) because it hardcodes that path
+    security.wrappers.unix_chkpwd.setuid = lib.mkForce false;
+
     # disable non-required packages like nano, perl, rsync, strace
     environment.defaultPackages = [];