Thre is a bug in sudo before 1.8.28. The bug, basically, involve UID validation where user ID -1 or 4294967295 could allow a user with sudo privilege to run command as root, even the Runas specification explicitly disallow root access.
For example, specify Runas in /etc/sudoers like this:
test ALL=(ALL,!root) /usr/bin/whoami
You can do this:
![](https://kitty.in.th/wp-content/uploads/2019/10/73539166_2738336349531279_5837897940189839360_n.jpg)
Fix ? Just update the package.