diff --git a/cmd/hsu/main.go b/cmd/hsu/main.go
index 1f6ca7b..27b97b5 100644
--- a/cmd/hsu/main.go
+++ b/cmd/hsu/main.go
@@ -34,6 +34,9 @@ func main() {
 	if os.Geteuid() != 0 {
 		log.Fatal("this program must be owned by uid 0 and have the setuid bit set")
 	}
+	if os.Getegid() != os.Getgid() {
+		log.Fatal("this program must not have the setgid bit set")
+	}
 
 	puid := os.Getuid()
 	if puid == 0 {
diff --git a/dist/install.sh b/dist/install.sh
index ef2e13d..b347eaa 100755
--- a/dist/install.sh
+++ b/dist/install.sh
@@ -4,7 +4,7 @@ cd "$(dirname -- "$0")" || exit 1
 install -vDm0755 "bin/hakurei" "${HAKUREI_INSTALL_PREFIX}/usr/bin/hakurei"
 install -vDm0755 "bin/hpkg" "${HAKUREI_INSTALL_PREFIX}/usr/bin/hpkg"
 
-install -vDm6511 "bin/hsu" "${HAKUREI_INSTALL_PREFIX}/usr/bin/hsu"
+install -vDm4511 "bin/hsu" "${HAKUREI_INSTALL_PREFIX}/usr/bin/hsu"
 if [ ! -f "${HAKUREI_INSTALL_PREFIX}/etc/hsurc" ]; then
     install -vDm0400 "hsurc.default" "${HAKUREI_INSTALL_PREFIX}/etc/hsurc"
 fi
diff --git a/nixos.nix b/nixos.nix
index 6dd5180..8135690 100644
--- a/nixos.nix
+++ b/nixos.nix
@@ -51,11 +51,9 @@ in
     ];
 
     security.wrappers.hsu = {
-
       source = "${cfg.hsuPackage}/bin/hsu";
       setuid = true;
       owner = "root";
-      setgid = true;
       group = "root";
     };