diff --git a/nixos/modules/programs/shadow.nix b/nixos/modules/programs/shadow.nix
index 5c2ea07c5549..895ecb122cb6 100644
--- a/nixos/modules/programs/shadow.nix
+++ b/nixos/modules/programs/shadow.nix
@@ -100,7 +100,7 @@ in
         chgpasswd = { rootOK = true; };
       };
 
-    security.setuidPrograms = [ "passwd" "chfn" "su" "newgrp"
+    security.setuidPrograms = [ "passwd" "chfn" "su" "sg" "newgrp"
       "newuidmap" "newgidmap"  # new in shadow 4.2.x
       ];
 
diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix
index d42a8c7f7d29..bced2a6ed757 100644
--- a/nixos/modules/security/sudo.nix
+++ b/nixos/modules/security/sudo.nix
@@ -77,7 +77,7 @@ in
         root        ALL=(ALL) SETENV: ALL
 
         # Users in the "wheel" group can do anything.
-        %wheel      ALL=(ALL) ${if cfg.wheelNeedsPassword then "" else "NOPASSWD: ALL, "}SETENV: ALL
+        %wheel      ALL=(ALL:ALL) ${if cfg.wheelNeedsPassword then "" else "NOPASSWD: ALL, "}SETENV: ALL
         ${cfg.extraConfig}
       '';