sudoers syntax

I'm stuck with a dilemma. I am trying to control userid's access to the su command in such a way that he will not be able to su to root (su, su -, su root, su - root) but he will be able to su to any other user. I have tried the following syntax:

userid  ALL=/usr/bin/su ?*, !/usr/bin/su *root*

This catches "su", "su root", and "su - root", but not "su -". I've also tried the follow syntax:

Cmnd_Alias  SU_TO_ROOT = /usr/bin/su, /usr/bin/su -, /usr/bin/su *root*, /usr/bin/su - *root*
userid  ALL=ALL, !SU_TO_ROOT

This catches all four types of su'ing to root but it also catches all other su attempts, which I would like to leave open. Any suggestions?

While I've never tried this with *root*, you could make another group called sutoroot and add this to roots list of groups. Then (at least on AIX) you can restrict by group which groups are authorized to su to this user.

Just one thought

You can filter the dash flag with [!-]*

See below:

# on the alphas, john may su to anyone but root and flags are not allowed
john        ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*

(more examples on Sudo Main Page)