To restrict "su" command from normal users move su binary to /usr/sbin from /usr/bin. #mv /usr/bin/su /usr/sbin/ Hope this will work still I havent tested this method.Other option is renaming the binary.
Renaming/moving/removing the binary just means that the user (if malicious) will either (1) copy it from another system or (2) get another copy from somewhere or (3) path to it explicitly.
Do you want to lock down su to all users or only to the root user?
What you need to consider is
1) I want users to stop doing SU to root. Easy: Look at /etc/default/security and set SU_ROOT_GROUP.
2) To disourage use of SU set a policy and then check the /var/adm/sulog file.
Else provide an idea of what is trying to be achieved and perhaps another way can be found.
Example. I am user "ONE" and I wish to su to user "TWO". Locking down su just means I have to pop up another session and log in as user "TWO".
Well Ng, if a user is able to get su from another system he will need to already have root privliges. CooLmaChO if a user ca su to root he has the root passord. If you remove su he can still log in as root and "have all the fun he wants". Unless you utilize securetty but then root will only be able to login from the console.
Seems to me the solution is to protect the passwords.
