In https://bugs.gentoo.org/777267 I ended up with a solution where I created a wrapper script for env-update which calls env-update and then updates the value of "secure_path" in /etc/sudoers/secure_path based on the updated value of REALPATH.
It would be nice if env-update would have an added feature where it executes +x scripts present somewhere in /etc (perhaps in /etc/env-update.d/) after updating /etc/profile.env and other stuff so I wouldn't have to use a wrapper like this. It's also not guaranteed that the wrapper is called during emerge over the real env-update.
Created attachment 692598 [details, diff]
Simple patch to make it work
The solutions sounds somewhat complicated for a PATH ordering issue, so I'd like to understand why there's not a simpler way to generate an appropriate PATH setting, if that really is the case.
If we'd like to make secure_path follow the generated [ROOT]PATH from env.d, this is the only way to make it consistent. Also I believe this can also help with other things that has to be regenerated everytime something significant in /etc/env.d is modified.
Created attachment 692676 [details]
Working post-update script that updates secure_path
Created attachment 692688 [details]
Working post-update script that updates secure_path (V2)
Created attachment 692691 [details]
Working post-update script that updates secure_path (V3)
There's no need to check if ROOTPATH has /usr/sbin since the default already has it, and secure_path should have a conservative value, so avoid including values from PATH. A path should also be in ROOTPATH anyway if it's meant to run as EUID 0.
Created attachment 692721 [details]
Working post-update script that updates secure_path (V4)
Avoid updating secure_path if it's already up-to-date to lessen noise and write IO
Created attachment 692730 [details]
Working post-update script that updates secure_path (V5)
Exclude "\n" in printf assignment and use more EPREFIX
Created attachment 747183 [details, diff]
Updated to work with 3.0.28
I customized the official ebuild so it includes this feature. It can be enabled with the 'unofficial' use flag.