diff --git a/modules/config/system-path.nix b/modules/config/system-path.nix
index 4a22aabc946..d9074732418 100644
--- a/modules/config/system-path.nix
+++ b/modules/config/system-path.nix
@@ -44,12 +44,10 @@ let
       pkgs.pciutils
       pkgs.perl
       pkgs.procps
-      pkgs.pwdutils
       pkgs.reiserfsprogs
       pkgs.rsync
       pkgs.seccure
       pkgs.strace
-      pkgs.su
       pkgs.sysklogd
       pkgs.sysvtools
       pkgs.time
diff --git a/modules/config/users-groups.nix b/modules/config/users-groups.nix
index cb84117090b..6beb7b311aa 100644
--- a/modules/config/users-groups.nix
+++ b/modules/config/users-groups.nix
@@ -173,16 +173,16 @@ in
 
             if ! curEnt=$(getent passwd "$name"); then
                 useradd --system \
-                    "$name" \
                     --comment "$description" \
                     ''${uid:+--uid $uid} \
                     --gid "$group" \
                     --groups "$extraGroups" \
                     --home "$home" \
                     --shell "$shell" \
-                    ''${createHome:+--create-home}
+                    ''${createHome:+--create-home} \
+                    "$name"
                 if test "''${password:0:1}" = 'X'; then
-                    echo "''${password:1}" | ${pkgs.pwdutils}/bin/passwd --stdin "$name"
+                    echo "''${password:1}" | ${pkgs.shadow}/bin/passwd --stdin "$name"
                 fi
             else
                 #echo "updating user $name..."
@@ -196,22 +196,13 @@ in
                 # unnecessary warnings about logged in users.
                 if test "$prevHome" = "$home"; then unset home; fi
                 usermod \
-                    "$name" \
                     --comment "$description" \
                     ''${uid:+--uid $uid} \
                     --gid "$group" \
                     --groups "$extraGroups" \
                     ''${home:+--home "$home"} \
-                    --shell "$shell"
-            fi
-
-            if test "$group" = nixbld; then
-                # As a special hack, add users that have nixbld as the
-                # primary group to the /etc/group entry for the nixbld
-                # group.  `nix-store' currently expects this in order
-                # to get the UIDs of all the build users by doing a
-                # getprnam("nixbld") call.
-                groupmod "$group" -A "$name"
+                    --shell "$shell" \
+                    "$name"
             fi
 
         done
@@ -227,14 +218,14 @@ in
 
             if ! curEnt=$(getent group "$name"); then
                 groupadd --system \
-                    "$name" \
-                    ''${gid:+--gid $gid}
+                    ''${gid:+--gid $gid} \
+                    "$name"
             else
                 #echo "updating group $name..."
                 oldIFS="$IFS"; IFS=:; set -- $curEnt; IFS="$oldIFS"
                 prevGid=$3
                 if test -n "$gid" -a "$prevGid" != "$gid"; then
-                    groupmod "$name" --gid $gid
+                    groupmod --gid $gid "$name"
                 fi
             fi
         done <<EndOfGroupList
diff --git a/modules/programs/pwdutils/login.defs b/modules/programs/pwdutils/login.defs
index 98610a88ca8..9d789fe7805 100644
--- a/modules/programs/pwdutils/login.defs
+++ b/modules/programs/pwdutils/login.defs
@@ -1,12 +1,12 @@
 DEFAULT_HOME            yes
 
-SYSTEM_UID_MIN            100
-SYSTEM_UID_MAX            499
+SYS_UID_MIN               100
+SYS_UID_MAX               499
 UID_MIN                  1000
 UID_MAX                 29999
 
-SYSTEM_GID_MIN            100
-SYSTEM_GID_MAX            499
+SYS_GID_MIN               100
+SYS_GID_MAX               499
 GID_MIN                  1000
 GID_MAX                 29999
 
diff --git a/modules/programs/pwdutils/passwd.conf b/modules/programs/pwdutils/passwd.conf
deleted file mode 100644
index 3b10fa350b5..00000000000
--- a/modules/programs/pwdutils/passwd.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# Define default crypt hash
-# CRYPT={des,md5,blowfish}
-CRYPT=des
-
-# for local files, use a more secure hash. We
-# don't need to be portable here:
-CRYPT_FILES=@filesCipher@
-
-# sometimes we need to specify special options for
-# a hash (variable is prepended by the name of the
-# crypt hash).
-BLOWFISH_CRYPT_FILES=10
-
-# For NIS, we should always use DES:
-CRYPT_YP=des
diff --git a/modules/programs/pwdutils/pwdutils.nix b/modules/programs/pwdutils/pwdutils.nix
index a690d7dab3e..cb77a0e4346 100644
--- a/modules/programs/pwdutils/pwdutils.nix
+++ b/modules/programs/pwdutils/pwdutils.nix
@@ -4,6 +4,12 @@
 
 let
 
+in
+
+{
+
+  ###### interface
+  
   options = {
 
     users.defaultUserShell = pkgs.lib.mkOption {
@@ -19,39 +25,53 @@ let
   
   };
 
-in
+  
+  ###### implementation
 
-{
-  require = [options];
+  config = {
 
-  environment.etc =
-    [ { # /etc/login.defs: global configuration for pwdutils.  You
-        # cannot login without it! 
-        source = ./login.defs;
-        target = "login.defs";
-      } 
+    environment.systemPackages = [ pkgs.shadow ];
 
-      { # /etc/default/passwd: configuration for passwd and friends
-        # (e.g., hash algorithm for /etc/passwd).
-        source = pkgs.substituteAll {
-          src = ./passwd.conf;
-          # This depends on pam_unix2 being built with libxcrypt or libc's libcrypt.
-          # Only in the first case it will understand 'blowfish'. And pam_unix2
-          # is not built with libxcrypt at the time of writing (it did not build)
-          filesCipher = if (pkgs.stdenv.system == "armv5tel-linux") then
-            "des" else "blowfish";
-        };
-        target = "default/passwd";
-      }
+    environment.etc =
+      [ { # /etc/login.defs: global configuration for pwdutils.  You
+          # cannot login without it! 
+          source = ./login.defs;
+          target = "login.defs";
+        } 
 
-      { # /etc/default/useradd: configuration for useradd.
-        source = pkgs.writeText "useradd"
-          ''
-            GROUP=100
-            HOME=/home
-            SHELL=${config.users.defaultUserShell}
-          '';
-        target = "default/useradd";
-      }
-    ];
+        { # /etc/default/useradd: configuration for useradd.
+          source = pkgs.writeText "useradd"
+            ''
+              GROUP=100
+              HOME=/home
+              SHELL=${config.users.defaultUserShell}
+            '';
+          target = "default/useradd";
+        }
+      ];
+
+    security.pam.services =
+      [ { name = "chsh"; rootOK = true; }
+        { name = "chfn"; rootOK = true; }
+        { name = "su"; rootOK = true; forwardXAuth = true; }
+        { name = "passwd"; }
+        # Note: useradd, groupadd etc. aren't setuid root, so it
+        # doesn't really matter what the PAM config says as long as it
+        # lets root in.
+        { name = "useradd"; rootOK = true; }
+        { name = "usermod"; rootOK = true; }
+        { name = "userdel"; rootOK = true; }
+        { name = "groupadd"; rootOK = true; }
+        { name = "groupmod"; rootOK = true; } 
+        { name = "groupmems"; rootOK = true; }
+        { name = "groupdel"; rootOK = true; }
+        { name = "login"; ownDevices = true; allowNullPassword = true;
+          limits = config.security.pam.loginLimits;
+        }
+      ];
+      
+    security.setuidPrograms = [ "passwd" "chfn" "su" ];
+    
+  };
+  
 }
diff --git a/modules/security/pam.nix b/modules/security/pam.nix
index f92c0e106db..20868140cfa 100644
--- a/modules/security/pam.nix
+++ b/modules/security/pam.nix
@@ -199,22 +199,9 @@ in
         { name = "ejabberd"; }
         { name = "ftp"; }
         { name = "lshd"; }
-        { name = "passwd"; }
         { name = "samba"; }
         { name = "sshd"; }
         { name = "xlock"; }
-        { name = "chsh"; rootOK = true; }
-        { name = "chfn"; rootOK = true; }
-        { name = "su"; rootOK = true; forwardXAuth = true; }
-        # Note: useradd, groupadd etc. aren't setuid root, so it
-        # doesn't really matter what the PAM config says as long as it
-        # lets root in.
-        { name = "useradd"; rootOK = true; }
-        # Used by groupadd etc.
-        { name = "shadow"; rootOK = true; }
-        { name = "login"; ownDevices = true; allowNullPassword = true;
-          limits = config.security.pam.loginLimits;
-        }
       ];
 
   };
diff --git a/modules/security/setuid-wrappers.nix b/modules/security/setuid-wrappers.nix
index aa85ee20dc9..a7513477353 100644
--- a/modules/security/setuid-wrappers.nix
+++ b/modules/security/setuid-wrappers.nix
@@ -74,9 +74,7 @@ in
   config = {
 
     security.setuidPrograms =
-      [ "passwd" "chfn" "su" "crontab" "ping" "ping6"
-        "fusermount" "wodim" "cdrdao" "growisofs"
-      ];
+      [ "crontab" "fusermount" "wodim" "cdrdao" "growisofs" ];
 
     system.activationScripts.setuid =
       let
diff --git a/modules/services/misc/nix-daemon.nix b/modules/services/misc/nix-daemon.nix
index 214e091886a..a9a0bc70f1e 100644
--- a/modules/services/misc/nix-daemon.nix
+++ b/modules/services/misc/nix-daemon.nix
@@ -12,10 +12,10 @@ let
 
       /* For consistency with the setgid(2), setuid(2), and setgroups(2)
          calls in `libstore/build.cc', don't add any supplementary group
-         here.  */
+         here except "nixbld".  */
       uid = builtins.add config.ids.uids.nixbld nr;
       group = "nixbld";
-      extraGroups = [];
+      extraGroups = [ "nixbld" ];
     };
 
 in
diff --git a/modules/services/ttys/mingetty.nix b/modules/services/ttys/mingetty.nix
index 5f6b1d0f14c..445fdcd78ed 100644
--- a/modules/services/ttys/mingetty.nix
+++ b/modules/services/ttys/mingetty.nix
@@ -57,7 +57,7 @@ with pkgs.lib;
     
       startOn = "started udev";
 
-      exec = "${pkgs.mingetty}/sbin/mingetty --loginprog=${pkgs.pam_login}/bin/login --noclear ${tty}";
+      exec = "${pkgs.mingetty}/sbin/mingetty --loginprog=${pkgs.shadow}/bin/login --noclear ${tty}";
       
     }) config.services.mingetty.ttys);
 
diff --git a/modules/system/activation/activation-script.nix b/modules/system/activation/activation-script.nix
index 19548f208d9..5327740c631 100644
--- a/modules/system/activation/activation-script.nix
+++ b/modules/system/activation/activation-script.nix
@@ -28,7 +28,7 @@ let
       let path = [
         pkgs.coreutils pkgs.gnugrep pkgs.findutils
         pkgs.glibc # needed for getent
-        pkgs.pwdutils
+        pkgs.shadow
         pkgs.nettools # needed for hostname
       ]; in noDepEntry ''
         export PATH=/empty
diff --git a/modules/system/upstart-events/shutdown.nix b/modules/system/upstart-events/shutdown.nix
index 66d5a7b588b..9db5fafa46c 100644
--- a/modules/system/upstart-events/shutdown.nix
+++ b/modules/system/upstart-events/shutdown.nix
@@ -54,7 +54,7 @@ with pkgs.lib;
               echo ""
               echo "<<< Maintenance shell >>>"
               echo ""
-              ${pkgs.pam_login}/bin/login root
+              ${pkgs.shadow}/bin/login root
               initctl emit -n startup
               exit 0
           fi
diff --git a/modules/tasks/network-interfaces.nix b/modules/tasks/network-interfaces.nix
index 836950f42a6..46d608dbb9b 100644
--- a/modules/tasks/network-interfaces.nix
+++ b/modules/tasks/network-interfaces.nix
@@ -142,6 +142,8 @@ in
         pkgs.wirelesstools
         pkgs.rfkill
       ];
+
+    security.setuidPrograms = [ "ping" "ping6" ];
     
     jobs.networkInterfaces = 
       { name = "network-interfaces";