diff --git a/nixos/tests/shadow.nix b/nixos/tests/shadow.nix
index 04ee0a2bf95d..17ab1a3710ae 100644
--- a/nixos/tests/shadow.nix
+++ b/nixos/tests/shadow.nix
@@ -171,5 +171,10 @@ in
         shadow.wait_for_file("/tmp/leo")
         assert "leo" in shadow.succeed("cat /tmp/leo")
         shadow.send_chars("logout\n")
+
+    with subtest("su wrapper should point to shadow by default"):
+        output = shadow.succeed("grep -aoP '/nix/store/[a-z0-9]{32}-[^\\x00]+' /run/wrappers/bin/su | head -1").strip()
+        assert "shadow" in output, \
+            f"su should come from shadow, but points to: {output}"
   '';
 }
diff --git a/nixos/tests/sudo-rs.nix b/nixos/tests/sudo-rs.nix
index 7e691ef7e51b..62891ed01d53 100644
--- a/nixos/tests/sudo-rs.nix
+++ b/nixos/tests/sudo-rs.nix
@@ -162,5 +162,10 @@ in
 
       with subtest("non-wheel users should be unable to run sudo thanks to execWheelOnly"):
           strict.fail('faketty -- su - noadmin -c "sudo --help"')
+
+      with subtest("su should come from sudo-rs"):
+          output = machine.succeed("grep -aoP '/nix/store/[a-z0-9]{32}-[^\\x00]+' /run/wrappers/bin/su | head -1").strip()
+          assert "sudo-rs" in output, \
+              f"su should come from sudo-rs, but points to: {output}"
     '';
 }