An already logged in user ALSO can't do it, because you can't trace SUID binaries..
try it 'strace su'.
Sorry, let me be more specific on this:
you can't remotely attach to it..
'strace su' in one term, strace -p $PID in another.. You'll get an 'operation not permitted'
further, if you 'strace' su, sudo, or anything else.. it wont run with root permissions, it'll run with the permissions of the user who ran strace.
