I wouldn't say this is a terrible hack. Necessary in some cases, but not terrible.
Some of the current S2I builders use a different way of achieving the same thing by pre-loading shared libraries into applications using nss_wrapper package. Making the passwd file writable and adding an entry in startup screen is cleaner and no one has been able to identify any potential problems from making passwd file group writable. It is possible that nss_wrapper method will be replaced with way you are doing it.