diff --git a/pkgs/tools/system/at/default.nix b/pkgs/tools/system/at/default.nix
index 501a1bde33b3..cc4ccdd40f09 100644
--- a/pkgs/tools/system/at/default.nix
+++ b/pkgs/tools/system/at/default.nix
@@ -1,4 +1,7 @@
-{ fetchurl, stdenv, bison, flex, pam, sendmailPath ? "/run/wrappers/bin/sendmail" }:
+{ fetchurl, stdenv, bison, flex, pam
+, sendmailPath ? "/run/wrappers/bin/sendmail"
+, atWrapperPath ? "/run/wrappers/bin/at"
+}:
 
 stdenv.mkDerivation rec {
   name = "at-${version}";
@@ -30,6 +33,13 @@ stdenv.mkDerivation rec {
        --with-daemon_username=atd --with-daemon_groupname=atd
     '';
 
+  # Ensure that "batch" can invoke the setuid "at" wrapper, if it exists, or
+  # else we get permission errors (on NixOS). "batch" is a shell script, so
+  # when the kernel executes it it drops setuid perms.
+  postInstall = ''
+    sed -i "6i test -x ${atWrapperPath} && exec ${atWrapperPath} -qb now  # exec doesn't return" "$out/bin/batch"
+  '';
+
   meta = {
     description = ''The classical Unix `at' job scheduling command'';
     license = stdenv.lib.licenses.gpl2Plus;