Thre is a bug in sudo before 1.8.28. The bug, basically, involve UID validation where user ID -1 or 4294967295 could allow a user with sudo privilege to run command as root, even the Runas specification explicitly disallow root access.

For example,  specify Runas in /etc/sudoers like this:

test ALL=(ALL,!root) /usr/bin/whoami

You can do this: