Currently when secure_path is enabled, app-admin/sudo inserts the default paths before the extracted values changing the wanted order.

Perhaps a use flag can be added so the default paths can be added differently:


```
-IUSE="gcrypt ldap nls offensive pam sasl +secure-path selinux +sendmail skey ssl sssd"
+IUSE="gcrypt ldap nls offensive pam sasl +secure-path selinux +sendmail skey ssl sssd alt-secure-path-order"
 
 DEPEND="
 	sys-libs/zlib:=
@@ -120,7 +120,11 @@ set_secure_path() {
 		done
 		SECURE_PATH=${newpath#:}
 	}
-	cleanpath /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin${SECURE_PATH:+:${SECURE_PATH}}
+	if use alt-secure-path-order; then
+		cleanpath ${SECURE_PATH:+${SECURE_PATH}:}/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin
+	else
+		cleanpath /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin${SECURE_PATH:+:${SECURE_PATH}}
+	fi
```

Or maybe change to the new behavior permanently.

The whole function can also be simplified:


```
set_secure_path() {
	einfo "Setting SECURE_PATH ..."

	SECURE_PATH=$(unset ROOTPATH; . "${EPREFIX}"/etc/profile.env; echo "${ROOTPATH}")
	[[ ${SECURE_PATH} != */usr/bin* ]] && SECURE_PATH=$(unset PATH; . "${EPREFIX}"/etc/profile.env;
			echo "${PATH}")

	local IFS=: __

	if use alt-secure-path-order; then
		set -- ${SECURE_PATH} /usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /sbin /bin /opt/bin
	else
		set -- /usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /sbin /bin /opt/bin ${SECURE_PATH}
	fi

	SECURE_PATH=

	for __; do
		case $__ in
		''|*/gcc-bin/*|*/gnat-gcc-bin/*|*/gnat-gcc/*) # bug #136027
			;;
		*)
			[[ :${SECURE_PATH}: != *:"$__":* ]] && SECURE_PATH+=:$__
			;;
		esac
	done

	SECURE_PATH=${SECURE_PATH#:}
}
```

Note that `*/usr/sbin*` has been changed to `*/usr/bin*.  See bug #939157.