su is run a shell with substitute user and group IDs. su is used to become another user during a login session. Invoked without a username, su defaults to becoming the super user. The optional argument -- may be used to provide an environment similar to what the user would expect had the user logged in directly.
Restricting su command to root superuser only is simple.
First, determining the path location of the binary is required using the following command
# which su
Remember the current file mode bits and restrictions for su binary
# ls -la /bin/su
-rwxr-xr-x 1 root root 24284 Apr 28 2007 /bin/su
Noticed that su binary is world executable and world readable. This basically means anybody can call and execute the su binary and gain access to perhaps stolen password with bash-enabled user accounts. If you wish to change this, you can issue the following command as follows
# chmod 700 /bin/su
So, only root and root alone can call su binary command.
Note that, it is not advisable to do this if your su binary is set to suid root, that has similar attributes like below:
-rwsr-xr-x 1 root root 27052 2007-08-02 18:33 /bin/su
as it could affect some apps and package that links to suid root-ted su binary.