We have multiple users accounts with /bin/bash shell allocated to them. An another application "su" to these accounts for controlling their service statuses and monitoring purposes. Passwords for these users are not set though. What shall I do to secure these users.
Refer doc https://unix.stackexchange.com/questions/113754/allow-user1-to-su-user2-without-password
would it not be a potential exploit window if user account can be logged into using pam modules. i.e. without sudo and without passwords. What can be done about this?
Any time you have a security boundary that doesn't require authentication, you have a potential exploit. Whether or not that can be turned into an exploit in practice is a different problem, but in this case if you're lowering privileges, you should be fine.
The explanation given in the selected answer for the question you linked is no less secure than any other option, and actually doesn't even require you to have any other means to authenticate as the users in question. For something that's local only, that is probably what I would do myself, although I'd do so with sudo instead of su (su is inherently insecure because of how it's designed).
Alternatively, you can also achieve the same by using SSH and public key authentication, you just create a key-pair for the account that is doing the monitoring, and require your other accounts to have the public key for that account in
~/.ssh/authorized_keys. If the other accounts are used by actual people though, this is probably not the best idea because it's liable to break and will make anybody who is reasonably security-minded to feel nervous.