You want to let a user run all commands as root except for specific exceptions, such as su.
Don't.
Instead, list all the permissible commands explicitly in /etc/sudoers. Don't try the reverse?letting the user run all commands as root "except these few"?which is prohibitively difficult to do securely.
It's tempting to try excluding dangerous commands with the "!" syntax:
/etc/sudoers: smith ALL = (root) !/usr/bin/su ...
but this technique is fraught with problems. A savvy user can easily get around it by renaming the forbidden executables:
smith$ ln -s /usr/bin/su gimmeroot smith$ sudo gimmeroot
Instead, we recommend listing all acceptable commands individually, making sure that none have shell escapes.
sudo(8), sudoers(5).