Authorize a user to run all programs in a given directory, but only those programs, as another user.
Specify a fully-qualified directory name instead of a command, ending it with a slash:
/etc/sudoers: smith ALL = (root) /usr/local/bin/ smith$ sudo -u root /usr/local/bin/mycommand Authorized smith$ sudo -u root /usr/bin/emacs Rejected
This authorization does not descend into subdirectories.
smith$ sudo -u root /usr/local/bin/gnu/emacs Rejected
sudo(8), sudoers(5).