Prevent users from sudo'ing to root

view story

http://serverfault.com – I've seen this question in different forms on various forums. Each time, the result never seems to be a full answer. I would like to prevent users from being able to sudo to root while maintaining the ability to sudo to other users. As tedious a task as this is I already know I can lock out editing the sudoers file and from running sudo bash|sh|etc. The one issue I can't seem to get around, though, is sudo su. According to the sudoers man page: john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* On the ALPHA machines, user john may su to anyone except root but he is not allowed to (HowTos)