I found an answer at the Unix & Linux regarding same question.
Link to answer Credit to user Tom Klino
Copy paste from said link:
For your original question, you will need to exclude /bin/bash
(or whatever is defined as the user's shell in /etc/passwd
), like so:
tomk ALL= ALL,!/bin/su,!/bin/bash
However(!!!), as stated already in the comments to your question, even though this will deny the user from running sudo -s
or sudo -i
, it will not really prevent him/her from getting an interactive shell as root.
From man sudoers
:
Limitations of the ‘!’ operator
It is generally not effective to “subtract” commands from ALL using the ‘!’ operator. A user can trivially circumvent this by copying the desired command to a different name and then executing that.
For example:
bill ALL = ALL, !SU, !SHELLS
Doesn't really prevent bill from running the commands listed in SU or SHELLS since he can simply copy those commands to a different name, or use a shell escape from an editor or other program. There‐
fore, these kind of restrictions should be considered advisory at best (and reinforced by policy).
In general, if a user has sudo ALL there is nothing to prevent them from creating their own program that gives them a root shell (or making their own copy of a shell) regardless of any ‘!’ elements in
the user specification.