You cannot give someone sudo "ALL" and expect them not to be able to get a root shell. If you don't trust the user you should explicitly list the commands you want them to run. This is mentioned in the man pages. - todd