First of all, your '!' entry will only match "cp /etc/shadow", not "cp /etc/shadow somewhere_else". You could fix that by: test ALL = /usr/bin/cp, !/usr/bin/cp /etc/shadow* But this is trivial to defeat by: cp -f /etc/shadow $HOME There's just no easy way to do what you want--there are too many ways to work around it (think symlinks). - todd