diff --git a/find_path.c b/find_path.c
index df33ae8bc..7f89a4fa7 100644
--- a/find_path.c
+++ b/find_path.c
@@ -104,7 +104,7 @@ find_path(infile, outfile, path)
     }
 
     /* Use PATH passed in unless SECURE_PATH is in effect.  */
-    if (def_str(I_SECURE_PATH) && !user_is_exempt())
+    if (def_str(I_SECURE_PATH))
 	path = def_str(I_SECURE_PATH);
     else if (path == NULL)
 	return(NOT_FOUND);
diff --git a/sudo.c b/sudo.c
index e73013bec..2dd08a060 100644
--- a/sudo.c
+++ b/sudo.c
@@ -245,6 +245,12 @@ main(argc, argv, envp)
     /* Validate the user but don't search for pseudo-commands. */
     validated = sudoers_lookup(pwflag);
 
+    /* Exempt users aren't affected by secure paths. */
+    if (user_is_exempt() && def_str(I_SECURE_PATH)) {
+	free(def_str(I_SECURE_PATH));
+	def_str(I_SECURE_PATH) = NULL;
+    }
+
     /*
      * Look up runas user passwd struct.  If we are given a uid then
      * there may be no corresponding passwd(5) entry (which is OK).