Beyond the mechanics of switching users, su also needs SUID permissions to perform its most sensitive task: reading the password database.
chmod 4755 /bin/su
Notice the permissions. Only root can read and write to this file (members of the shadow group may also read it depending on the distro). su must be suid to work properly
It is worth noting that on some systems, su might rely on the SGID (Set Group ID) bit to the shadow or root group rather than full SUID root. However, this is configuration-dependent. The most universal mechanism remains SUID root, as root is the only UID capable of switching to any other user ID freely. Beyond the mechanics of switching users, su also