Always edit /etc/sudoers with the visudo program, not by invoking a text editor directly. visudo uses a lock to ensure that only one person edits /etc/sudoers at a time, and verifies that there are no syntax errors before the file is saved.

Never permit the following programs to be invoked with root privileges by sudo: su, sudo, visudo, any shell, and any program having a shell escape.

Be meticulous about specifying argument lists for each command in /etc/sudoers . If you aren’t careful, even common commands like cat and chmod can be springboards to gain root privileges:

$ sudo cat /etc/shadow > my.evil.file
$ sudo cat ~root/.ssh/id_dsa > my.copy.of.roots.ssh.key
$ sudo chmod 777 /etc/passwd; emacs /etc/passwd
$ sudo chmod 4755 /usr/bin/less               (root-owned with a shell escape)

Obviously, never let users invoke a program or script via sudo if the users have write permissions to the script. For example:

                     /etc/sudoers:
smith ALL = (root) /home/smith/myprogram

would be a very bad idea, since smith can modify myprogram arbitrarily.