Excellent info and ideas. Thank you all very much. You have given me quite a bit to consider.

Users do connect via SSH. The group of people who use this are a select few who I trust and have a good working relationship with. This is more or less a way to save them from themselves :)

Regardless, as a matter of best practices you are correct, I really ought to (and will) lock sudo down to the scripts themselves. Nobody but myself and the other admin have shell access to that box, so the directory containing the scripts is fairly safe.

*gives the other admin the evil eye*