Ever since Tiger did away with running rc.boot at startup, there have been a lot of system administrators wondering how to deny single user mode to their users. While anyone with enough motivation can still gain privilege on a computer if they have physical access (think install disk), there is a fundamental difference between having a perfectly secure system and inviting tinkering by allowing anyone meandering through the office to become root by holding down command-option-S.
One way to balance your system security is to use the /var/root/.profile login script for root. This file is only run when root gains Terminal access using the -sh login shell. This generally only happens at two different times. First, when booting in single user mode, or second, when calling sudo -i from a Terminal window. Because single user mode uses a different $TERM than sudo -i from inside of Aqua, it's very easy to tell the two apart. Just create (as root, obviously) this simple /var/root/.profile file:
if [ $TERM = vt100 ]; then /sbin/reboot; fi
This will keep unprivileged users from booting in single user mode, while still allowing unlimited password protected xterm access. The only side effect to this is that you also will not be able to use the >console login with sudo -i. You can however, still log into >console as root, or use su or sudo -s, because all three of these use bash instead of sh by default, which reads the .bashrc file for configuration, and not .profile).
PLEASE NOTE: It's very important that this is only used by those who know the consequences of denying single user login. It may be necessary to boot in target disk mode if a bad system crash occurs to re-enable single user mode!

