diff --git a/chroot_version_hooks.d/45_rewrite_sudoers.d b/chroot_version_hooks.d/45_rewrite_sudoers.d
new file mode 100644
index 0000000000..316d434f3f
--- /dev/null
+++ b/chroot_version_hooks.d/45_rewrite_sudoers.d
@@ -0,0 +1,41 @@
+# Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Note that this script is invoked by make_chroot in addition
+# to normal upgrade pathways.
+
+if [ "$(id -u)" != 0 ]; then
+  # Note that since we're screwing w/ sudo variables, this script
+  # explicitly bounces up to root for everything it does- that way
+  # if anyone introduces a temp depriving in the sudo setup, it can't break
+  # mid upgrade.
+  exec sudo bash -e "${VERSION_HOOKS_DIR}/45_rewrite_sudoers.d" \
+    / "${USER}" "${ENVIRONMENT_WHITELIST[@]}"
+  exit 1
+fi
+
+# Reaching here means we're root.
+
+if [ $# -lt 2 ]; then
+  echo "Invoked with wrong number of args; expected root USER [variables]*"
+  exit 1
+fi
+
+root=$1
+username=$2
+shift
+shift
+set -- "${@}" CROS_WORKON_SRCROOT PORTAGE_USERNAME
+
+cat > "${root}/etc/sudoers.d/90_cros" <<EOF
+Defaults env_keep += "${*}"
+%adm ALL=(ALL) ALL
+root ALL=(ALL) ALL
+${username} ALL=NOPASSWD: ALL
+EOF
+
+chmod 0440 "${root}/etc/sudoers.d/90_cros"
+chown root:root "${root}/etc/sudoers.d/90_cros"
+
+exit 0
diff --git a/common.sh b/common.sh
index 83c0c8909e..3b5528811e 100644
--- a/common.sh
+++ b/common.sh
@@ -299,6 +299,20 @@ DEFAULT_FAST=${FLAGS_TRUE}
 # Directory to store built images.  Should be set by sourcing script when used.
 BUILD_DIR=
 
+# List of variables to proxy into the chroot from the host, and to
+# have sudo export if existent.
+# Anytime this list is modified, to make that change active a new
+# chroot_version_hooks.d upgrade script that symlinks to 45_rewrite_sudoers.d
+# is required.
+ENVIRONMENT_WHITELIST=(
+  CHROMEOS_OFFICIAL
+  {http{,s},ftp,all,no}_proxy
+  RSYNC_PROXY
+  GIT_{PROXY_COMMAND,SSH}
+  SSH_AGENT_PID
+  SSH_AUTH_SOCK
+)
+
 # Standard filenames
 CHROMEOS_BASE_IMAGE_NAME="chromiumos_base_image.bin"
 CHROMEOS_IMAGE_NAME="chromiumos_image.bin"
diff --git a/run_chroot_version_hooks b/run_chroot_version_hooks
index 5048c7fbba..d4b1aa232e 100755
--- a/run_chroot_version_hooks
+++ b/run_chroot_version_hooks
@@ -25,7 +25,7 @@ DEFINE_boolean skipfirst "${FLAGS_FALSE}" \
 FLAGS "$@" || exit 1
 
 VERSION_FILE=/etc/cros_chroot_version
-UPGRADE_D="$(dirname ${0})/chroot_version_hooks.d"
+VERSION_HOOKS_DIR="$(dirname "$(readlink -f "${0}")")/chroot_version_hooks.d"
 
 update_version() {
   sudo touch ${VERSION_FILE}
@@ -55,9 +55,8 @@ fi
 # Versions must be -n sorted, that is, the first continuous sequence
 # of numbers is what counts. 12_ is before 111_, etc.
 LATEST_VERSION=$(
-  ls "${UPGRADE_D}" | grep "^[0-9]*_" | \
-  sort -n | tail -n 1 | cut -f1 -d'_'
-)
+  cd "${VERSION_HOOKS_DIR}"
+  ls [0-9]*_* | cut -d_ -f1 | sort -rn | head -n1)
 
 if [ "${FLAGS_force_latest}" == "${FLAGS_TRUE}" ]; then
   update_version "${LATEST_VERSION}"
@@ -71,7 +70,7 @@ if ! [ -f "${VERSION_FILE}" ]; then
   update_version 0
 fi
 
-CHROOT_VERSION=$(cat "${VERSION_FILE}")
+CHROOT_VERSION=$(<"${VERSION_FILE}")
 # Check if version is a number.
 if ! [ "${CHROOT_VERSION}" -ge "0" ] &> /dev/null; then
   error "Your chroot version file ${VERSION_FILE} is bogus: ${CHROOT_VERSION}"
@@ -108,7 +107,7 @@ fi
 if [ "${LATEST_VERSION}" -gt "${CHROOT_VERSION}" ]; then
   info "Old chroot version (${CHROOT_VERSION}) found, running upgrade hooks"
 
-  pushd "${UPGRADE_D}" 1> /dev/null
+  pushd "${VERSION_HOOKS_DIR}" 1> /dev/null
   for n in $(seq "$(expr ${CHROOT_VERSION} + 1)" "${LATEST_VERSION}"); do
     hook=(${n}_*)
 
@@ -138,9 +137,9 @@ if [ "${LATEST_VERSION}" -gt "${CHROOT_VERSION}" ]; then
     # NOTE: We source the upgrade scripts because:
     # 1) We can impose set -something on them.
     # 2) They can reuse local variables and functions (fe. from common.sh)
-    # Side effect is that the scripts have to be internally enclosed in
-    # a code block, otherwise simply running "exit" in any of them would
-    # terminate the master script, so we call it in a subshell.
+    # 3) They're allowed to use VERSION_HOOKS_DIR and VERSION_FILE.
+    # Note that the upgrade scripts have to be subshelled to protect ourselves,
+    # else a script running exit would stop the upgrade process entirely.
     if ! ( source ${hook} ); then
       error "Fatal: failed to upgrade ${n}!"
       exit 1
diff --git a/sdk_lib/enter_chroot.sh b/sdk_lib/enter_chroot.sh
index 0b25cdb64c..77a25d4f4e 100755
--- a/sdk_lib/enter_chroot.sh
+++ b/sdk_lib/enter_chroot.sh
@@ -570,30 +570,20 @@ setup_env
 
 CHROOT_PASSTHRU=(
   "BUILDBOT_BUILD=$FLAGS_build_number"
-  "CHROMEOS_OFFICIAL=$CHROMEOS_OFFICIAL"
   "CHROMEOS_RELEASE_APPID=${CHROMEOS_RELEASE_APPID:-{DEV-BUILD}}"
-
-  # Set CHROMEOS_VERSION_TRACK, CHROMEOS_VERSION_AUSERVER,
-  # CHROMEOS_VERSION_DEVSERVER as environment variables to override the default
-  # assumptions (local AU server). These are used in cros_set_lsb_release, and
-  # are used by external Chromium OS builders.
-
-  "CHROMEOS_VERSION_TRACK=${CHROMEOS_VERSION_TRACK}"
-  "CHROMEOS_VERSION_AUSERVER=${CHROMEOS_VERSION_AUSERVER}"
-  "CHROMEOS_VERSION_DEVSERVER=${CHROMEOS_VERSION_DEVSERVER}"
   "EXTERNAL_TRUNK_PATH=${FLAGS_trunk}"
-  "SSH_AGENT_PID=${SSH_AGENT_PID}"
-  "SSH_AUTH_SOCK=${SSH_AUTH_SOCK}"
 )
 
-# Some vars we want to keep.
-KEEP_VARS="USE GCC_GITHASH"
-# Pass proxy variables into the environment.
-PROXY_VARS="http_proxy ftp_proxy all_proxy GIT_PROXY_COMMAND GIT_SSH"
-for type in ${KEEP_VARS} ${PROXY_VARS}; do
-  if [ -n "${!type}" ]; then
-    CHROOT_PASSTHRU+=( "${type}=${!type}" )
-  fi
+# Add the standard proxied variables, and a few we specifically
+# export for script usage; USE/GCC_GITHASH are for ebuilds/portage,
+# CHROMEOS_VERSION_* is for cros_set_lsb_release and local AU server
+# (builders export this for marking reasons).
+KEEP_VARS=(
+  CHROMEOS_VERSION_{TRACK,AUSERVER,DEVSERVER}
+  USE GCC_GITHASH
+)
+for var in "${ENVIRONMENT_WHITELIST[@]}" "${KEEP_VARS[@]}"; do
+  [ "${!var+set}" = "set" ] && CHROOT_PASSTHRU+=( "${var}=${!var}" )
 done
 
 # Run command or interactive shell.  Also include the non-chrooted path to
diff --git a/sdk_lib/make_chroot.sh b/sdk_lib/make_chroot.sh
index 4d459d211a..f857f0f4a3 100755
--- a/sdk_lib/make_chroot.sh
+++ b/sdk_lib/make_chroot.sh
@@ -172,17 +172,11 @@ init_setup () {
    # the user's already typed in one sudo password...)
    # Make sure the sudoers.d subdir exists as older stage3 base images lack it.
    sudo mkdir -p "${FLAGS_chroot}/etc/sudoers.d"
-   sudo_clobber "${FLAGS_chroot}/etc/sudoers.d/90_cros" <<EOF
-Defaults env_keep += CROS_WORKON_SRCROOT
-Defaults env_keep += CHROMEOS_OFFICIAL
-Defaults env_keep += PORTAGE_USERNAME
-Defaults env_keep += http_proxy
-Defaults env_keep += ftp_proxy
-Defaults env_keep += all_proxy
-%adm ALL=(ALL) ALL
-root ALL=(ALL) ALL
-$USER ALL=NOPASSWD: ALL
-EOF
+
+   # Use the standardized upgrade script to setup proxied vars.
+   sudo bash -e "${SCRIPT_ROOT}/chroot_version_hooks.d/45_rewrite_sudoers.d" \
+     "${FLAGS_chroot}" "${USER}" "${ENVIRONMENT_WHITELIST[@]}"
+
    sudo find "${FLAGS_chroot}/etc/"sudoers* -type f -exec chmod 0440 {} +
    # Fix bad group for some.
    sudo chown -R root:root "${FLAGS_chroot}/etc/"sudoers*