Bug 760

You need to either provide the output of "sudo -l" for that user or the relevant sudoers file entries.

admtalbe@doanfs001 /home/admtalbe->sudo -l
Matching Defaults entries for admtalbe on this host:
    env_reset, env_keep+="TZ ODMDIR LIBPATH DISPLAY", logfile=/var/log/sudolog, !syslog, timestamp_timeout=0

Runas and Command-specific defaults for admtalbe:
    Defaults>root !set_logname

User admtalbe may run the following commands on this host:
    (ALL) NOPASSWD: ALL, (ALL) !/usr/bin/su \"\", !/bin/su \"\", !/usr/bin/su -, !/bin/su -, /usr/bin/su - [a-z]*, /bin/su - [a-z]*, /usr/bin/su
    [a-z]*, /bin/su [a-z]*, !/usr/bin/su root, !/bin/su root, !/usr/bin/su - root, !/bin/su - root, !/usr/bin/su -[a-z]*, !/bin/su -[a-z]*,
    !/usr/bin/sh, !/bin/sh, !/usr/bin/csh, !/bin/csh, !/usr/bin/ksh, !/bin/ksh, !/usr/ucb/rcp, !/usr/ucb/rsh, !/usr/bin/shelltool, !/bin/shelltool,
    !/usr/local/bin/bash, !/fs/misc/local/bin/bash, !/usr/local/bin/tcsh, !/fs/misc/local/bin/tcsh, !/usr/openwin/bin/xterm, !/usr/local/bin/zsh,
    !/local/bin/emacs

That sudoers entry allows any command except for a few exceptions.  There is nothing in that list to prevent the user running "/usr/bin/su --".

I suspect you want to exclude "/usr/bin/su" and "/bin/su" completely and then add in the patterns you do want.  For example:

!/usr/bin/su, !/bin/su, /usr/bin/su - [a-z]*, /bin/su - [a-z]*, /usr/bin/su [a-z]*, /bin/su [a-z]*, !/usr/bin/su root, !/bin/su root, !/usr/bin/su - root, !/bin/su - root

Alternately, you could simply change:
    !/usr/bin/su -[a-z]*

To:
    !/usr/bin/su -[a-z-]*

which will match "su --".  Note that giving a user sudo "ALL" and then trying to restrict specific commands is not really secure as the user will always be able to find a way to get a shell either by copying a shell to another name, using a shell escape from another program/editor or by creating a new program/script and executing it.

So, our fault. Figures we mucked up.
Thank you very much for your reply.