Whoa, that’s quite some horrible application code. This should be done with polkit. I’d seen this project around, really expected slightly better quality from it…
Your fix is the only half-reasonable solution, in fact I’ve seen similar things here and there in nixpkgs that should probably be cleaned up. Copying around stuff to add more things that are setuid sounds like the opposite of what you should be doing, and it’s not like only making a subset of the wrappers available would make this any less imperative.
I’d add some assertion that security.wrappers.sudo is set (and that program is actually sudo). There are sudo alternatives that don’t just replace the binary, an eval-time check to tell anyone using one of them that they need to switch to a sudo-compatible one seems appropriate. Plus it brings it back to being a bit closer to being resolved properly.
I’d also see if there’s an issue about using polkit upstream and stay far away from this until at least that is resolved, and probably longer given the poor quality and just how impactful an exploit against this is, but that’s just me.
To be clear to anyone coming here from search engines, though: No you should not be doing this. If you think there is no other option, ask first, especially if you’re planning to upstream whatever you’re doing.
This is an insane hack and only “necessary” in this super specific case where a remote system management service that has an obvious design flaw is being packaged. If you’re doing the same, consider using cockpit instead of packaging something new.