diff --git a/modules/security/wrappers/default.nix b/modules/security/wrappers/default.nix
index b923105c..9fc3b74d 100644
--- a/modules/security/wrappers/default.nix
+++ b/modules/security/wrappers/default.nix
@@ -72,14 +72,14 @@ let
     # They're taken from pkgs.glibc so that we don't have to keep as close
     # an eye on glibc changes. Not every relevant variable is in this header,
     # so we maintain a slightly stricter list in wrapper.c itself as well.
-    unsecvars = lib.overrideDerivation (pkgs.srcOnly pkgs.glibc)
-      ({ name, ... }: {
-        name = "${name}-unsecvars";
-        installPhase = ''
-          mkdir $out
-          cp sysdeps/generic/unsecvars.h $out
-        '';
-      });
+    # unsecvars = lib.overrideDerivation (pkgs.srcOnly pkgs.glibc)
+    #   ({ name, ... }: {
+    #     name = "${name}-unsecvars";
+    #     installPhase = ''
+    #       mkdir $out
+    #       cp sysdeps/generic/unsecvars.h $out
+    #     '';
+    #   });
   };
 
   mkWrapper =
diff --git a/modules/security/wrappers/wrapper.c b/modules/security/wrappers/wrapper.c
index 2075b948..5700cf10 100644
--- a/modules/security/wrappers/wrapper.c
+++ b/modules/security/wrappers/wrapper.c
@@ -3,21 +3,21 @@
 #include <stdio.h>
 #include <string.h>
 #include <unistd.h>
-#include <stdnoreturn.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/xattr.h>
-#include <fcntl.h>
-#include <dirent.h>
-#include <errno.h>
-#include <sys/prctl.h>
-#include <limits.h>
-#include <stdint.h>
-#include <syscall.h>
-#include <byteswap.h>
+// #include <stdnoreturn.h>
+// #include <sys/types.h>
+// #include <sys/stat.h>
+// #include <sys/xattr.h>
+// #include <fcntl.h>
+// #include <dirent.h>
+// #include <errno.h>
+// #include <sys/prctl.h>
+// #include <limits.h>
+// #include <stdint.h>
+// #include <syscall.h>
+// #include <byteswap.h>
 
 // imported from glibc
-#include "unsecvars.h"
+// #include "unsecvars.h"
 
 #ifndef SOURCE_PROG
 #error SOURCE_PROG should be defined via preprocessor commandline
@@ -86,12 +86,12 @@ int main(int argc, char **argv) {
     //
     // If we don't explicitly unset them, it's quite easy to just set LD_PRELOAD,
     // have it passed through to the wrapped program, and gain privileges.
-    for (char *unsec = UNSECURE_ENVVARS_TUNABLES UNSECURE_ENVVARS; *unsec; unsec = strchr(unsec, 0) + 1) {
-        if (debug) {
-            fprintf(stderr, "unsetting %s\n", unsec);
-        }
-        unsetenv(unsec);
-    }
+    // for (char *unsec = UNSECURE_ENVVARS_TUNABLES UNSECURE_ENVVARS; *unsec; unsec = strchr(unsec, 0) + 1) {
+    //     if (debug) {
+    //         fprintf(stderr, "unsetting %s\n", unsec);
+    //     }
+    //     unsetenv(unsec);
+    // }
 
     execve(SOURCE_PROG, argv, environ);
     
diff --git a/modules/security/wrappers/wrapper.nix b/modules/security/wrappers/wrapper.nix
index ca4b27bf..8c795e74 100644
--- a/modules/security/wrappers/wrapper.nix
+++ b/modules/security/wrappers/wrapper.nix
@@ -1,9 +1,8 @@
-{ stdenv, unsecvars, linuxHeaders, sourceProg, debug ? false }:
+{ stdenv, sourceProg, debug ? false }:
 # For testing:
 # $ nix-build -E 'with import <nixpkgs> {}; pkgs.callPackage ./wrapper.nix { sourceProg = "${pkgs.hello}/bin/hello"; debug = true; }'
 stdenv.mkDerivation {
   name = "security-wrapper-${baseNameOf sourceProg}";
-  buildInputs = [ linuxHeaders ];
   dontUnpack = true;
   CFLAGS = [
     ''-DSOURCE_PROG="${sourceProg}"''
@@ -15,6 +14,6 @@ stdenv.mkDerivation {
   dontStrip = debug;
   installPhase = ''
     mkdir -p $out/bin
-    $CC $CFLAGS ${./wrapper.c} -I${unsecvars} -o $out/bin/security-wrapper
+    $CC $CFLAGS ${./wrapper.c} -o $out/bin/security-wrapper
   '';
 }