diff --git a/files/etc/filter-syslog/pbuilder b/files/etc/filter-syslog/pbuilder
new file mode 100644
index 0000000000000000000000000000000000000000..5a71775d91f12621c9dee2fbb0512e135496a643
--- /dev/null
+++ b/files/etc/filter-syslog/pbuilder
@@ -0,0 +1,9 @@
+# Syslog filter rules for a system building packages with pbuilder.
+
+# Running pbuilder via sudo.
+sudo:	/.* USER=root ; COMMAND=/usr/sbin/pbuilder .*/
+sudo:	/.* USER=root ; COMMAND=/usr/sbin/cowbuilder .*/
+sudo:   /^pam_unix\(sudo:session\): session (opened|closed) for user root/
+
+# People doing builds out of AFS home directories.
+kernel: /^\[\d+\.\d+\] afs: byte-range locks only enforced for processes on /
diff --git a/files/etc/pam.d/sudo b/files/etc/pam.d/sudo
new file mode 100644
index 0000000000000000000000000000000000000000..67b857b9bcf082a8972831e9a19adf59059f7bbf
--- /dev/null
+++ b/files/etc/pam.d/sudo
@@ -0,0 +1,13 @@
+#%PAM-1.0
+
+@include common-auth
+@include common-account
+
+# @include common-session-noninteractive
+#
+# Instead of including the stock common-session-noninteractive we
+# use parts of it, overriding minimum_uid for pam_afs_session
+# so that sudo will be able to get AFS tokens (helps with cowbuilder)
+session optional		pam_krb5.so minimum_uid=1000
+session required		pam_unix.so
+session optional		pam_afs_session.so minimum_uid=0
diff --git a/manifests/sudo.pp b/manifests/sudo.pp
new file mode 100644
index 0000000000000000000000000000000000000000..56ea74e4d7bb16ef7790f78e45faf91ccac5e6bf
--- /dev/null
+++ b/manifests/sudo.pp
@@ -0,0 +1,25 @@
+class su_debuld::sudo {
+
+  ### SUDO ###
+  ensure_packages(['sudo'], {'ensure' => 'present'})
+
+  # Install a sudo configuration letting mortals run pdebuild.
+  file_line { 'sudo_rule_for_pdebuild':
+    path => '/etc/sudoers',
+    line => '%root      ALL = NOPASSWD: /usr/sbin/cowbuilder',
+  }
+
+  # Ignore the pbuilder sudos.
+  file { '/etc/filter-syslog/pbuilder':
+    source => 'puppet:///modules/su_debuild/etc/filter-syslog/pbuilder';
+  }
+
+  # To be able to run cowbuilder in AFS, we need to use a special version of
+  # /etc/pam.d/sudo.
+  file {
+    '/etc/pam.d/sudo':
+      source  => 'puppet:///modules/su_debuild/etc/pam.d/sudo',
+      require => Package['sudo'];
+  }
+
+}