diff --git a/home/scripts/lxc/lxc-login.sh b/home/scripts/lxc/lxc-login.sh
index b5797a3..7f85b98 100644
--- a/home/scripts/lxc/lxc-login.sh
+++ b/home/scripts/lxc/lxc-login.sh
@@ -11,7 +11,7 @@ fi
 lxc-start -n "$CONTAINER" 2>/dev/null || true
 
 if [[ -n "$SSH_ORIGINAL_COMMAND" ]]; then
-  exec lxc-attach -n "$CONTAINER" -- /bin/bash -c "export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin; $SSH_ORIGINAL_COMMAND"
+  exec sudo lxc-attach --clear-env -n "$CONTAINER" -- /bin/bash -c "export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin; $SSH_ORIGINAL_COMMAND"
 else
-  exec lxc-attach -n "$CONTAINER" -- /bin/login -f root
+  exec sudo lxc-attach --clear-env -n "$CONTAINER" -- /bin/login -f root
 fi
diff --git a/system/lxc.nix b/system/lxc.nix
index 4cc9feb..1a5127f 100644
--- a/system/lxc.nix
+++ b/system/lxc.nix
@@ -5,6 +5,14 @@
     lxcfs.enable = true;
   };
 
+  security.sudo.extraRules = [{
+    groups = [ "labmates" ];
+    commands = [
+      { command = "/run/current-system/sw/bin/lxc-attach"; options = [ "NOPASSWD" ]; }
+      { command = "/run/current-system/sw/bin/lxc-start"; options = [ "NOPASSWD" ]; }
+    ];
+  }];
+
   networking.networkmanager.unmanaged = [ "br0" ];
 
   virtualisation.lxc.defaultConfig = ''