Change again the root commands, so that all control characters are escaped

Update the corresponding part in README.BLFS

BLFS/xsl/scripts.xsl

@@ -436,9 +436,9 @@ fi
       <xsl:choose>
         <xsl:when test="@role = 'root'">
           <xsl:if test="$sudo = 'y'">
-            <xsl:text>sudo sh &lt;&lt; ROOT_EOF&#xA;</xsl:text>
+            <xsl:text>sudo -E sh &lt;&lt; ROOT_EOF&#xA;</xsl:text>
           </xsl:if>
-          <xsl:apply-templates select="userinput" mode="root"/>
+          <xsl:apply-templates mode="root"/>
           <xsl:if test="$sudo = 'y'">
             <xsl:text>&#xA;ROOT_EOF</xsl:text>
           </xsl:if>
@@ -504,19 +504,10 @@ popd</xsl:text>
     <xsl:apply-templates/>
   </xsl:template>
 
-  <xsl:template match="userinput" mode="root">
-    <xsl:for-each select="child::node()">
-      <xsl:choose>
-        <xsl:when test="self::text()">
+  <xsl:template match="text()" mode="root">
     <xsl:call-template name="output-root">
       <xsl:with-param name="out-string" select="string()"/>
     </xsl:call-template>
-        </xsl:when>
-        <xsl:otherwise>
-          <xsl:apply-templates select="self::node()"/>
-        </xsl:otherwise>
-      </xsl:choose>
-    </xsl:for-each>
   </xsl:template>
 
   <xsl:template name="output-root">
@@ -533,6 +524,17 @@ popd</xsl:text>
                           select="substring-after($out-string,'make')"/>
         </xsl:call-template>
       </xsl:when>
+      <xsl:when test="contains($out-string,'$') and $sudo = 'y'">
+        <xsl:call-template name="output-root">
+          <xsl:with-param name="out-string"
+                          select="substring-before($out-string,'$')"/>
+        </xsl:call-template>
+        <xsl:text>\$</xsl:text>
+        <xsl:call-template name="output-root">
+          <xsl:with-param name="out-string"
+                          select="substring-after($out-string,'$')"/>
+        </xsl:call-template>
+      </xsl:when>
       <xsl:when test="contains($out-string,'`') and $sudo = 'y'">
         <xsl:call-template name="output-root">
           <xsl:with-param name="out-string"
@@ -567,4 +569,10 @@ popd</xsl:text>
         <xsl:text>EDITME**</xsl:text>
   </xsl:template>
 
+  <xsl:template match="replaceable" mode="root">
+        <xsl:text>**EDITME</xsl:text>
+        <xsl:apply-templates/>
+        <xsl:text>EDITME**</xsl:text>
+  </xsl:template>
+
 </xsl:stylesheet>

README.BLFS

@@ -273,14 +273,20 @@ $Id$
         If building as a normal user (the default setting), be sure that all
      commands that require root privileges are run using sudo. Also make sure
      necessary root privilege commands are visible in your PATH. Or use
-     the `Defaults secure_path=' in /etc/sudoers. Also, the scripts use a
-     fragile construct:
-       sudo bash -c '<commands to be executed as root>'
-     which fail if the commands to be executed contain themselves a ' or access
-     a bash variable $XXX. So carefully review them. When you want to use
-     environment variables, it is sometimes better to replace simple quotes
-     with double quotes, but beware the construct is even more fragile.
-     Carefully check it...
+     the `Defaults secure_path=' in /etc/sudoers.
+        For commands necessitating root privileges, the generated scripts wrap
+     them with the construct:
+       sudo -E sh << ROOT_EOF
+         <commands to be executed as root with `$', ``', and `\' escaped>
+       ROOT_EOF
+     The -E switch ensures the whole environment is passed to the
+     commands to be run with root privileges. It is effective only if the
+     /etc/sudoers file contains `Defaults setenv', or SETENV in the user
+     attributes. If you think it is a security issue, you may forbid this
+     flag in /etc/sudoers, but then, you have to un-escape `$' for variables
+     coming from the environment in the instructions.
+        Although this construct is rather strong, it can fail in some corner
+     cases, so carefully review those instructions.
 
         Due to book layout issues, some sudo commands may be missing.