[sudo-users] SUDO Command Negation Question

[Wick, Samson]

We're using SUDO (version 1.8.6p3-7) via LDAP.

We have roles where I'm required to grant the sudoCommand "ALL" to users, and then attempt to prohibit certain actions with "!" sudoCommands.  I'm already perfectly aware of how insecure this is, but politics are mostly immune to facts and can be slow to change - I've given the lecture but I still have to try to do this for the time being.

I have a role with the sudoCommand "ALL" and I want to prevent users from running [/bin/su] or [/bin/su -] or [/bin/su root] or [/bin/su - root], but still allow them to run [/bin/su serviceaccount] or [/bin/su - serviceaccount].

According to the documentation, a sudoCommand without arguments can be specified by adding an empty "" at the end of the string like [/bin/su""] but for some reason this does not seem to work with negation. [!/bin/su""] behaves exactly like [!/bin/su] and prevents the use of the command entirely - with or without arguments.

Is this behavior by design, is this a bug, or is there some syntax I've overlooked which will allow me to negate use of the command without arguments but continue to allow it to work with specific arguments?

The solution I'm currently using is to add [sudoCommand: !/bin/su] to the role with [sudoCommand: ALL], then assigning a separate role with [sudoCommand: /bin/bash] and [sudoRunAsUser: serviceaccount].  The users can't run /bin/su as root at all, but they can execute a shell as the "serviceaccount" user like this: [sudo -u serviceaccount /bin/bash].   This setup works fine as a replacement for allowing /bin/su, to a specific user as root, but wouldn't really work for other commands that have undesirable behavior when run without arguments, and it would be preferable if I could do this in a way that's transparent to the users.