Para sua pergunta original, você precisará excluir /bin/bash (ou o que for definido como o shell do usuário em /etc/passwd ), assim:
tomk ALL= ALL,!/bin/su,!/bin/bash
No entanto (!!!) , conforme já mencionado nos comentários da sua pergunta, mesmo que isso impeça o usuário de executar sudo -s ou sudo -i , ele não será realmente impedir que ele receba um shell interativo como root.
De man sudoers :
Limitations of the ‘!’ operator
It is generally not effective to “subtract” commands from ALL using the ‘!’ operator. A user can trivially circumvent this by copying the desired command to a different name and then executing that. For example:
bill ALL = ALL, !SU, !SHELLSDoesn't really prevent bill from running the commands listed in SU or SHELLS since he can simply copy those commands to a different name, or use a shell escape from an editor or other program. There‐ fore, these kind of restrictions should be considered advisory at best (and reinforced by policy).
In general, if a user has sudo ALL there is nothing to prevent them from creating their own program that gives them a root shell (or making their own copy of a shell) regardless of any ‘!’ elements in the user specification.