If you allow someone to “sudo vi” they could obtain a shell prompt as root if they type “:shell”.
If you allow someone to “sudo less” they could also obtain a shell prompt as root if they type “! <enter>”
To avoid that you can tag “less” and “vi” with the NOEXEC tag.
This is an example sudoers that tags “more”, “less” and “vi” as noexec, and prevents the group “theusers”
from doing “sudo bash” and “sudo su -”
Cmnd_Alias NOEXEC_CMDS = /usr/bin/less, /usr/bin/more, /bin/vi
Cmnd_Alias SHELLS = /usr/bin/amuFormat.sh /usr/bin/avahi-publish /usr/bin/avahi-publish-address /usr/bin/avahi-publish-service /usr/bin/banshee /usr/bin/bashbug /usr/bin/brushtopbm /usr/bin/bsh /usr/bin/btcflash /usr/bin/chsh /usr/bin/c_rehash /usr/bin/csharp /usr/bin/debconf-show /usr/bin/dh_bash-completion /usr/bin/dh_makeshlibs /usr/bin/dh_shlibdeps /usr/bin/dpkg-shlibdeps /usr/bin/gdm-screenshot /usr/bin/gettext.sh /usr/bin/git-shell /usr/bin/glib-genmarshal /usr/bin/gnome-file-share-properties /usr/bin/gnome-panel-screenshot /usr/bin/gnome-screenshot /usr/bin/groovysh /usr/bin/gvfs-trash /usr/bin/installdbgsymbols.sh /usr/bin/instmodsh /usr/bin/kcmshell4 /usr/bin/kdeinit4_shutdown /usr/bin/ksh /usr/bin/kshell4 /usr/bin/ksplashsimple /usr/bin/ksplashx /usr/bin/ksplashx_scale /usr/bin/ktrash /usr/bin/lshal /usr/bin/lshw /usr/bin/mailshar /usr/bin/mdns-publish-vnc /usr/bin/mdns-publish-xendom /usr/bin/motd+shell /usr/bin/mshowfat /usr/bin/muinshee /usr/bin/mysqlshow /usr/bin/omshell /usr/bin/pax11publish /usr/bin/pnmshear /usr/bin/ppmflash /usr/bin/ppmshadow /usr/bin/ppmshift /usr/bin/rawshark /usr/bin/rsh /usr/bin/sha1pass /usr/bin/sha1sum /usr/bin/sha224sum /usr/bin/sha256sum /usr/bin/sha384sum /usr/bin/sha512sum /usr/bin/shar /usr/bin/shares-admin /usr/bin/shasum /usr/bin/shcomp /usr/bin/shell /usr/bin/shotwell /usr/bin/showconsolefont /usr/bin/showfont /usr/bin/showkey /usr/bin/showrgb /usr/bin/shpadd /usr/bin/shpcreate /usr/bin/shpdump /usr/bin/shprewind /usr/bin/shptest /usr/bin/shred /usr/bin/shuf /usr/bin/ssh /usr/bin/ssh-add /usr/bin/ssh-agent /usr/bin/ssh-argv0 /usr/bin/ssh-askpass /usr/bin/ssh-copy-id /usr/bin/sshfs /usr/bin/ssh-import-id /usr/bin/ssh-keygen /usr/bin/ssh-keyscan /usr/bin/ssh-vulnkey /usr/bin/tclsh /usr/bin/tclsh8.4 /usr/bin/tclsh8.5 /usr/bin/toshset /usr/bin/trash4 /usr/bin/unshar /usr/bin/unshare /usr/bin/update-xbmc-dharma-pvr.sh /usr/bin/ushare /usr/bin/wireshark /usr/bin/wish /usr/bin/wish8.4 /usr/bin/wish8.5 /usr/bin/xbsh /usr/bin/xpcshell-1.9.2 /usr/bin/xrefresh , /sbin/capsh /sbin/shadowconfig /sbin/showmount /sbin/shutdown , /bin/bash /bin/dash /bin/ksh /bin/ksh93 /bin/rbash /bin/sh /bin/sh.distrib /bin/static-sh , /bin/su
%theusers ALL=(ALL) NOPASSWD: ALL, !SHELLS, NOEXEC: NOEXEC_CMDS