Your setup won't work.
When you use sudo you become root user for the execution of that command. Try executing, as normal user who belongs to the wheel group whoami
and then sudo /usr/bin/whoami
The ACL restrictions, as implemented, won't stop root.
I think your approach is incorrect: Instead of giving users sudo access to all and then exclude some stuff you should selectively give users access to certain root commands they specifically need.
Too many commands can be misused to gain real root access if you allow access to all. For example: When this is in place %wheel ALL=(ALL) ALL
and no further restrictions are set then all I have to do is sudo vi
and from vi :sh
to get full root access.
Maybe these links will help:
- HowTO: Sudoers Configuration
- Linux Users and Sudo