Allow user to use sudo to execute anything, only one executable as nopassword

Question

I have a Linux user that needs to be able to execute any command with sudo, but it should ask for their password for all apart from one executable. Currently my sudoers files looks like:

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) NOPASSWD:/bin/switch.sh

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

So I have added my user to the sudo group, however I think I have the syntax wrong as now I can only execute switch.sh with sudo and no others

Answer 1

For %sudo group users to allow anything but /bin/switch.sh you need the first line. The second line allow user in %sudo execute all with password, but as the first line have precedence, users must type the password all but script on first line.

%sudo    ALL=(root) NOPASSWD:/bin/switch.sh
%sudo    ALL=(ALL) ALL