diff --git a/internal/app/app_test.go b/internal/app/app_test.go
index 57d81ef..0c54502 100644
--- a/internal/app/app_test.go
+++ b/internal/app/app_test.go
@@ -73,6 +73,7 @@ func TestApp(t *testing.T) {
 					Readonly(m("/var/run/nscd"), 0755).
 					Etc(m("/etc/"), "4a450b6596d7bc15bd01780eb9a607ac").
 					Tmpfs(m("/run/user/1971"), 8192, 0755).
+					Tmpfs(m("/run/nscd"), 8192, 0755).
 					Tmpfs(m("/run/dbus"), 8192, 0755).
 					Remount(m("/dev/"), syscall.MS_RDONLY).
 					Tmpfs(m("/run/user/"), 4096, 0755).
@@ -209,6 +210,7 @@ func TestApp(t *testing.T) {
 					Readonly(m("/var/run/nscd"), 0755).
 					Etc(m("/etc/"), "ebf083d1b175911782d413369b64ce7c").
 					Tmpfs(m("/run/user/1971"), 8192, 0755).
+					Tmpfs(m("/run/nscd"), 8192, 0755).
 					Tmpfs(m("/run/dbus"), 8192, 0755).
 					Remount(m("/dev/"), syscall.MS_RDONLY).
 					Tmpfs(m("/run/user/"), 4096, 0755).
@@ -552,6 +554,8 @@ func (k *stubNixOS) tempdir() string { return "/tmp/" }
 
 func (k *stubNixOS) evalSymlinks(path string) (string, error) {
 	switch path {
+	case "/var/run/nscd":
+		return "/run/nscd", nil
 	case "/run/user/1971":
 		return "/run/user/1971", nil
 	case "/tmp/hakurei.0":
diff --git a/internal/app/spcontainer.go b/internal/app/spcontainer.go
index ee18cec..cb5d938 100644
--- a/internal/app/spcontainer.go
+++ b/internal/app/spcontainer.go
@@ -13,6 +13,8 @@ import (
 	"hakurei.app/system/dbus"
 )
 
+const varRunNscd = container.FHSVar + "run/nscd"
+
 // spParamsOp initialises unordered fields of [container.Params] and the optional root filesystem.
 // This outcomeOp is hardcoded to always run first.
 type spParamsOp struct {
@@ -121,8 +123,14 @@ func (s spFilesystemOp) toSystem(state *outcomeStateSys, _ *hst.Config) error {
 	this feature tries to improve user experience of permissive defaults, and
 	to warn about issues in custom configuration; it is NOT a security feature
 	and should not be treated as such, ALWAYS be careful with what you bind */
-	var hidePaths []string
-	hidePaths = append(hidePaths, state.sc.RuntimePath.String(), state.sc.SharePath.String())
+	hidePaths := []string{
+		state.sc.RuntimePath.String(),
+		state.sc.SharePath.String(),
+
+		// this causes emulated passwd database to be bypassed on some /etc/ setups
+		varRunNscd,
+	}
+
 	_, systemBusAddr := dbus.Address()
 	if entries, err := dbus.Parse([]byte(systemBusAddr)); err != nil {
 		return &hst.AppError{Step: "parse dbus address", Err: err}
diff --git a/test/sandbox/case/pd.nix b/test/sandbox/case/pd.nix
index f98254f..ad97c99 100644
--- a/test/sandbox/case/pd.nix
+++ b/test/sandbox/case/pd.nix
@@ -185,6 +185,7 @@
       (ent "/" "/run/nscd" "ro,nosuid,nodev,relatime" "tmpfs" "readonly" "ro,mode=755,uid=1000000,gid=1000000")
       (ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
       (ent "/" "/run/user/1000" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=8k,mode=755,uid=1000000,gid=1000000")
+      (ent "/" "/run/nscd" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=8k,mode=755,uid=1000000,gid=1000000")
       (ent "/" "/run/dbus" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=8k,mode=755,uid=1000000,gid=1000000")
       (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000000,gid=1000000")
       (ent "/tmp/hakurei.0/runtime/0" "/run/user/65534" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")