I'm here, don't worry!
It's not that easy as it might look at first sight.
'su' is one of those commands with accessauths "ALLOW_ALL", and those commands use to
query the real userid of the user executing the command, and only real UID '0' can su without password.
So you will have to do several things:
- Create a new User-defined Authorization, call it e.g. "UserSU" (or the like)
- Add this authorization to a role given exclusively to those users to be allowed to 'su' without password (or create a new role).
- Customize the entry for '/usr/bin/su' in privcmds by changing accessauths to "UserSU" instead of "ALLOW_ALL" and by adding "ruid = 0"
Best use 'smitty rbac' for the above, and don't forget 'setkst' when done.
Now if one of the authorized users switches to the role you enhanced (or created) above he/she will then be able to 'su' without password.
Be careful, and don't give the authorization to switch to that role to just anybody, because there is no means (NO MEANS!) to forbid su'ing to root!!
Good ol' sudo ...
wmp