diff --git a/files/patches/admin.mount.patch b/files/patches/admin.mount.patch
new file mode 100644
index 000000000..03b1b1e21
--- /dev/null
+++ b/files/patches/admin.mount.patch
@@ -0,0 +1,11 @@
+--- a/usr/share/gvfs/mounts/admin.mount
++++ b/usr/share/gvfs/mounts/admin.mount
+@@ -1,7 +1,7 @@
+ [Mount]
+ Type=admin
+ # Add a dummy argument after pkexec, or '/bin/sh -c' will eat the first argument in '$@'
+-Exec=/bin/sh -c 'pkexec /usr/libexec/gvfsd-admin "$@" --address $DBUS_SESSION_BUS_ADDRESS --dir $XDG_RUNTIME_DIR' gvfsd-admin
++Exec=/bin/sh -c 'run0 --setenv=PKEXEC_UID="$UID" /usr/libexec/gvfsd-admin "$@" --address $DBUS_SESSION_BUS_ADDRESS --dir $XDG_RUNTIME_DIR' gvfsd-admin
+ AutoMount=false
+ DBusName=org.gtk.vfs.mountpoint_admin
+ MountPerClient=true
diff --git a/files/patches/login.defs.patch b/files/patches/login.defs.patch
new file mode 100644
index 000000000..7b65475c1
--- /dev/null
+++ b/files/patches/login.defs.patch
@@ -0,0 +1,20 @@
+--- a/etc/login.defs
++++ b/etc/login.defs
+@@ -114,7 +114,7 @@
+ # 022 is the default value, but 027, or even 077, could be considered
+ # for increased privacy. There is no One True Answer here: each sysadmin
+ # must make up their mind.
+-UMASK		022
++UMASK		027
+ 
+ # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
+ # home directories.
+@@ -255,7 +255,7 @@
+ # If not specified, a cost factor of 5 will be used.
+ # The value must be within the 1-11 range.
+ #
+-#YESCRYPT_COST_FACTOR 5
++YESCRYPT_COST_FACTOR 11
+ 
+ # Currently CONSOLE_GROUPS is not supported
+ 
diff --git a/files/system/etc/login.defs b/files/system/etc/login.defs
deleted file mode 100644
index 3edcfd187..000000000
--- a/files/system/etc/login.defs
+++ /dev/null
@@ -1,116 +0,0 @@
-# *REQUIRED*
-#   Directory where mailboxes reside, _or_ name of file, relative to the
-#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
-#
-MAIL_DIR	/var/spool/mail
-
-# Currently ERASECHAR, KILLCHAR and ULIMIT are not supported
-
-# Default initial "umask" value used by login(1) on non-PAM enabled systems.
-# Default "umask" value for pam_umask(8) on PAM enabled systems.
-# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
-# home directories if HOME_MODE is not set.
-# 022 is the default value, but 027, or even 077, could be considered
-# for increased privacy. There is no One True Answer here: each sysadmin
-# must make up their mind.
-UMASK		027
-
-# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
-# home directories.
-# If HOME_MODE is not set, the value of UMASK is used to create the mode.
-HOME_MODE	0700
-
-# Password aging controls:
-#
-#	PASS_MAX_DAYS	Maximum number of days a password may be used.
-#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
-#	PASS_MIN_LEN	Minimum acceptable password length.
-#	PASS_WARN_AGE	Number of days warning given before a password expires.
-#
-PASS_MAX_DAYS	99999
-PASS_MIN_DAYS	0
-PASS_WARN_AGE	7
-
-
-#
-# Min/max values for automatic uid selection in useradd(8)
-#
-UID_MIN                  1000
-UID_MAX                 60000
-# System accounts
-SYS_UID_MIN               201
-SYS_UID_MAX               999
-# Extra per user uids
-SUB_UID_MIN		   524288
-SUB_UID_MAX		600100000
-SUB_UID_COUNT		    65536
-
-#
-# Min/max values for automatic gid selection in groupadd(8)
-#
-GID_MIN                  1000
-GID_MAX                 60000
-# System accounts
-SYS_GID_MIN               201
-SYS_GID_MAX               999
-# Extra per user group ids
-SUB_GID_MIN		   524288
-SUB_GID_MAX		600100000
-SUB_GID_COUNT		    65536
-
-#
-# If set to MD5, MD5-based algorithm will be used for encrypting password
-# If set to SHA256, SHA256-based algorithm will be used for encrypting password
-# If set to SHA512, SHA512-based algorithm will be used for encrypting password
-# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
-# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password
-# If set to DES, DES-based algorithm will be used for encrypting password (default)
-#
-ENCRYPT_METHOD YESCRYPT
-
-# *REQUIRED*
-#   Directory where mailboxes reside, _or_ name of file, relative to the
-#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
-#
-MAIL_DIR	/var/spool/mail
-
-# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
-# home directories.
-# If HOME_MODE is not set, the value of UMASK is used to create the mode.
-HOME_MODE	0700
-
-#
-# Only works if ENCRYPT_METHOD is set to YESCRYPT.
-#
-# Define the YESCRYPT cost factor.
-# With a higher cost factor, it is more difficult to brute-force the password.
-# However, more CPU time and more memory will be needed to authenticate users
-# if this value is increased.
-#
-# If not specified, a cost factor of 5 will be used.
-# The value must be within the 1-11 range.
-#
-YESCRYPT_COST_FACTOR 11
-
-#
-# Enables userdel(8) to remove user groups if no members exist.
-#
-USERGROUPS_ENAB yes
-
-#
-# If useradd(8) should create home directories for users by default (non
-# system users only).
-# This option is overridden with the -M or -m flags on the useradd(8)
-# command-line.
-#
-CREATE_HOME	yes
-
-#
-# Select the HMAC cryptography algorithm.
-# Used in pam_timestamp module to calculate the keyed-hash message
-# authentication code.
-#
-# Note: It is recommended to check hmac(3) to see the possible algorithms
-# that are available in your system.
-#
-HMAC_CRYPTO_ALGO SHA512
\ No newline at end of file
diff --git a/modules/patch/module.yml b/modules/patch/module.yml
new file mode 100644
index 000000000..e8a003e48
--- /dev/null
+++ b/modules/patch/module.yml
@@ -0,0 +1,6 @@
+name: patch
+shortdesc: This module is used to apply patches to files at image build image.
+example: |
+  type: patch
+  patches:
+    - hardenlogindefs.patch
diff --git a/modules/patch/patch.sh b/modules/patch/patch.sh
new file mode 100755
index 000000000..fb480a850
--- /dev/null
+++ b/modules/patch/patch.sh
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+shopt -s nullglob
+
+get_json_array PATCHES 'try .["patches"][]' "$1"
+PATCH_DIR="$CONFIG_DIRECTORY/patches"
+readonly PATCHES PATCH_DIR
+
+main() {
+    local p
+    for p in "${PATCHES[@]}"; do
+        patch --batch --silent --forward --no-backup-if-mismatch \
+              --directory=/ --strip=1 < "$PATCH_DIR/$p"
+    done
+}
+
+main "$@"
diff --git a/recipes/common/common-modules.yml b/recipes/common/common-modules.yml
index c5bfff081..2f91c9b2a 100644
--- a/recipes/common/common-modules.yml
+++ b/recipes/common/common-modules.yml
@@ -20,5 +20,9 @@ modules:
     - type: script
       scripts:
         - enablecommonautoupdate.sh
+    - type: patch
+      source: local
+      patches:
+        - login.defs.patch
     - type: secureblue-signing
       source: local
diff --git a/recipes/common/silverblue-modules.yml b/recipes/common/silverblue-modules.yml
index eb3e9d764..c103b38df 100644
--- a/recipes/common/silverblue-modules.yml
+++ b/recipes/common/silverblue-modules.yml
@@ -27,3 +27,7 @@ modules:
     - type: script
       scripts:
         - removedkmshelper.sh
+    - type: patch
+      source: local
+      patches:
+        - admin.mount.patch