Q: http://www.softpanorama.org/Access_control/Sudo/sudoer_file_examples.shtml

Default /etc/sudoers file supplied with sudo on ad hoc level introduces three additional classes of users into Unix:

    multiple system administrator (via wheel group)
    operators (can shutdown and boot server, use service command for managing daemons, mount volumes, etc)
    users (more restricted category that operators. Which add to normal user capabilities the ability to execute specific commands and view selected system files as well as view the list of process of all users via ps;

The central directive of sudo is so called "user specification".  It is usually written with the help of aliases.  It have right and left part separate by equal sign.

The right part consists of two entries:

    user_list users that can execute particular command  and on the right part (users can be defined via individual name, group to which they belong of alias)
    host list servers to which this line is applicable. Each server name is interpreted "literally" by comparing it with value returned by the hostname command. So localhost is not equal to just current host: you need to specify exact name of the server returned by hostname command or ALL  (ALL means that the check is skipped). 

The left part is more complex and consists of

    A Runas_Spec determines the user and/or the group that a command may be run as. If no Runas_Spec provided, the command will run as root, or the user listed in -u parameter of sudo invocation. you iether specify user user (operator) or user and group (operator:users) or just group (:users). If group is not specified the group used as primary group in /etc/passwd for the particular user will be used. you can also use aliases of corresponding type (Runas_Alias) and comma separated lists.
    Command_list (the list of commands, separate by commas)  that can be executed using those user/group specification for the users and servers define in the left part
        Command can has one or several "tags" such as NOPASSWD: NOEXEC:  the specify additional detail of command execution

Formally you can define "user specification" as

command_definition :=   [<run_as_list>] [<tag list>] <command list>

<user list> <host list> = command_definition [, command_definition ]...

Both run_as_list and tag_list are options. The right side can be a list of definitions   separated by commas.

The command list can consist of commands and directories. A directory, for example /usr/bin/ should end with slas and means that all command in the given directory can be executed (see the example below).

For example

%users	locahost = (root)   NOPASSWD: tail  /var/log/messages
%operators ALL   = (root)   NOPASSWD:NOEXEC: /usr/bin/vim

or, using list

%users	localhost = (operator) /bin/ls, (root) /bin/kill, /sbin/shutdown

in this case all users which belong to the group users are allowed to run the command /bin/ls as operator, but command /bin/kill and /sbin/shutdown as root.

Now let's provide an example with the directory specification:

%operators	localhost = (apache) /usr/sbin/

That means that users who belong to the operators group may run any command in /usr/sbin/ as user apache.

##		Using Aliases
There are four kinds of aliases:

1.	User_Alias -- as the name implies it defines group of users, which can cosist of individual names, groups and other user aliases, defined previously)
2.	Runas_Alias -- this  is often misunderstood type of aliases. It specifies the particular user (root, apache, etc) and/or groups under which particular command listed in the right part can be executed.
3.	Host_Alias (we will ignore them as they are required only in complex installations; and usually this is done by people who do not need this page). Generally you use iether ALL or exact host name (as returned by the hostname command) if you sudoers file are individual to the particular host and you distribute a single file to the the group of proper host with pdsh or similar parallel shell. Using localhost does not work for speciafication of "just this host", use ALL instead.  his type of aliases should normally end with suffix _HOSTS, for example WEB_HOSTS
4.	Cmnd_Alias -- This is the list of command that you want to allow to execute with several twists such as wildcards, specification of directories, etc. This type of aliases should normally end with suffix _CMD, for example PROCESSES_CMD

The format to declare aliases is quite simple.  Each alias definition is of the form:

Alias_Type NAME = item1, item2, ... 

The right part  is a comma separated list. Blanks can be used after each comma. If you want to exclude entry instead of including it it needs to be listed with the prefix '!'

Runas_Alias OPERATORS = sge, vasp, accelrys
Runas_Alias ADMINS = %wheel, root
User_Alias RESEARCHERS = user1, user2, ...
User_Alias NOROOT = ALL, !root, !%wheel  # here we specify "any user other then root, or those who belong to the group wheel"
                    Primary admin (who typically is a member  of the group "wheel") needs to be blocked too as typically he has access to root via sudo 

NOTE: Limitations of the ‘!’ operator

    You should never use "negate" commands in Cmnd_Alias from ALL using the ‘!’ operator. A user can trivially circumvent this by copying the desired command to a different name and then executing that command. For example, this Cmnd_Alias is deeply wrong:

    Cmnd_Alias NORMAL_CMD = ALL, !SU, !SHELLS

    Doesn't really prevent users, who are allowed to run command listed under this alias running the commands listed in SU or SHELLS since any of them can simply copy those commands to a different name, or use a shell escape from an editor or other program.

    In general, if a  Cmnd_Alias has ALL element in it there is nothing to prevent users who are assigned this alias from creating their own program that gives them a root shell (or making their own copy of a shell) regardless of any ‘!’ elements in the user specification.

##		Non-Root Execution
It is also possible to have a user run an application as a different, non-root user. This can be very interesting if you run applications as a different user (for instance apache for the web server) and want to allow certain users to perform administrative steps as that user (like killing zombie processes).

Inside /etc/sudoers you list the user(s) in between ( and ) before the command listing:

users  hosts = (run-as) commands

For instance, to allow users defined as WEBMASTERS to run the kill tool as the apache user:

Cmnd_Alias KILL = /bin/kill, /usr/bin/pkill

WEBMASTERS   locahost = (apache) KILL

With this set, the user can run sudo -u to select the user he wants to run the application as:

$ sudo -u apache pkill apache

You can set an alias for the user to run an application as using the Runas_Alias directive. Its use is identical to the other _Alias directives we have seen before.

This way you can also exclude root from the list of the users

Runas_Alias NOROOT = ALL, !root
WEBMASTERS   locahost = (NOROOT) KILL

##		Tip: Study the default sudoers file		##
Sudo provides a well documented sudoers file which represents a pretty educational example:

# Sample /etc/sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

##
# User alias specification
##
User_Alias	FULLTIMERS = millert, mikef, dowdy
User_Alias	PARTTIMERS = bostley, jwfox, crawl
User_Alias	WEBMASTERS = will, wendy, wim

##
# Runas alias specification
##
Runas_Alias	OP = root, operator
Runas_Alias	DB = oracle, sybase

##
# Host alias specification
##
Host_Alias	SPARC = bigtime, eclipse, moet, anchor:\
		SGI = grolsch, dandelion, black:\
		ALPHA = widget, thalamus, foobar:\
		HPPA = boa, nag, python
Host_Alias	CUNETS = 128.138.0.0/255.255.0.0
Host_Alias	CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
Host_Alias	SERVERS = master, mail, www, ns
Host_Alias	CDROM = orion, perseus, hercules

##
# Cmnd alias specification
##
Cmnd_Alias	DUMPS = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, \
			/usr/sbin/rrestore, /usr/bin/mt
Cmnd_Alias	KILL = /usr/bin/kill
Cmnd_Alias	PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias	SHUTDOWN = /usr/sbin/shutdown
Cmnd_Alias	HALT = /usr/sbin/halt
Cmnd_Alias	REBOOT = /usr/sbin/reboot
Cmnd_Alias	SHELLS = /sbin/sh, /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
			 /usr/local/bin/tcsh, /usr/bin/rsh, \
			 /usr/local/bin/zsh
Cmnd_Alias	SU = /usr/bin/su
Cmnd_Alias	VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, \
		       /usr/bin/chfn

##
# Override built-in defaults
##
Defaults               syslog=auth
Defaults>root          !set_logname
Defaults:FULLTIMERS    !lecture
Defaults:millert       !authenticate
Defaults@SERVERS       log_year, logfile=/var/log/sudo.log

##
# User specification
##

# root and users in group wheel can run anything on any machine as any user
root		ALL = (ALL) ALL
%wheel		ALL = (ALL) ALL

# full time sysadmins can run anything on any machine without a password
FULLTIMERS	ALL = NOPASSWD: ALL

# part time sysadmins may run anything but need a password
PARTTIMERS	ALL = ALL

# jack may run anything on machines in CSNETS
jack		CSNETS = ALL

# lisa may run any command on any host in CUNETS (a class B network)
lisa		CUNETS = ALL

# operator may run maintenance commands and anything in /usr/oper/bin/
operator	ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
		sudoedit /etc/printcap, /usr/oper/bin/

# joe may su only to operator
joe		ALL = /usr/bin/su operator

# pete may change passwords for anyone but root on the hp snakes
pete		HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root

# bob may run anything on the sparc and sgi machines as any user
# listed in the Runas_Alias "OP" (ie: root and operator)
bob		SPARC = (OP) ALL : SGI = (OP) ALL

# jim may run anything on machines in the biglab netgroup
jim		+biglab = ALL

# users in the secretaries netgroup need to help manage the printers
# as well as add and remove users
+secretaries	ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser

# fred can run commands as oracle or sybase without a password
fred		ALL = (DB) NOPASSWD: ALL

# on the alphas, john may su to anyone but root and flags are not allowed
john		ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*

# jen can run anything on all machines except the ones
# in the "SERVERS" Host_Alias
jen		ALL, !SERVERS = ALL

# jill can run any commands in the directory /usr/bin/, except for
# those in the SU and SHELLS aliases.
jill		SERVERS = /usr/bin/, !SU, !SHELLS

# steve can run any command in the directory /usr/local/op_commands/
# as user operator.
steve		CSNETS = (operator) /usr/local/op_commands/

# matt needs to be able to kill things on his workstation when
# they get hung.
matt		valkyrie = KILL

# users in the WEBMASTERS User_Alias (will, wendy, and wim)
# may run any command as user www (which owns the web pages)
# or simply su to www.
WEBMASTERS	www = (www) ALL, (root) /usr/bin/su www

# anyone can mount/unmount a cd-rom on the machines in the CDROM alias
ALL		CDROM = NOPASSWD: /sbin/umount /CDROM,\
		/sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM

##	
Q: https://www.tecmint.com/sudoers-configurations-for-setting-sudo-in-linux/
10 Useful Sudoers Configurations for Setting ‘sudo’ in Linux