if "cbeny" knows the password of the "target" user, you can't disable "su".

you could place "cbeny" in a resticted shell, but that may be overkill for what you want to accomplish

you could write a wrapper script for the std "su" that looks at who ran it before doing the real "su"

you could use "sudo", or "PowerBroker"

Hi:

As OldSchool mentions, 'switch-user' or 'su' is password authenticated and a password will be posed everytime unless starting from root and going to a user account. 'root' is not authenticated with 'su', only user accounts are.

If the issue is with 'su - root' from a user account then you can convert to a trusted system and live with those nusances, but I think popularity for trusted systems had really diminished since 10.20 and 11.00.

You can also use the even less popular NIS Plus and get the same root restirctions. But I have yet to find an HP-UX box using NIS Plus. Its very unpopular.

Hello,

Apart from the advice you already got from
others, here are other options:

a) Set option SU_ROOT_GROUP in /etc/default/security and add user "cbeny" if
they are allowed to su(1) to "root".

Or, if you do not want "cbeny" to be able to
su(1) to "root", then make them not be
part of Unix group as defined in SU_ROOT_GROUP.

b) Change permissions on /usr/bin/su (normally 4555, owner root, group bin or
root), to a more restrictive, say 4550:

-r-sr-x--- 1 root sugrp ... /usr/bin/su

Then, create a sugrp in /etc/group. Add
the users that are allowed to run su(1) to
membership of the Unix group sugrp.

c) Finally, think about using
Role Based Access Control.

Cheers,

VK2COT

http://forums.itrc.hp.com/service/forums/questionanswer.do?threadId=1349273