I'm stuck with a dilemma. I am trying to control userid's access to the su command in such a way that he will not be able to su to root (su, su -, su root, su - root) but he will be able to su to any other user. I have tried the following syntax:
userid ALL=/usr/bin/su ?*, !/usr/bin/su *root*
This catches "su", "su root", and "su - root", but not "su -". I've also tried the follow syntax:
Cmnd_Alias SU_TO_ROOT = /usr/bin/su, /usr/bin/su -, /usr/bin/su *root*, /usr/bin/su - *root*
userid ALL=ALL, !SU_TO_ROOT
This catches all four types of su'ing to root but it also catches all other su attempts, which I would like to leave open. Any suggestions?