No, I haven't, I haven't heared of pacifist before.
Pacifist can show you quite a bit. I took a quick look at the installer both using Pacifist and looking at a sampling of the various packages Info.plists. To me it looks like the maker of the packages missed on the ownership of the files. From what I saw, all the files to be installed carried ownership of admin:wheel. For the admin owner the UID 501 is being used. This is the first account created when you install Mac OS X. The default installation is to take place at /usr/local/php5/.
When I examined some of the Info.plists, they showed that "admin" authorization was required for installation. As the account you were using when installed was an administrator account, you implicitly gave your permission. It would not have asked you for a password.
Example from an Info.plist showing the level of authentication needed and default install location --
<key>IFPkgFlagAuthorizationAction</key>
<string>AdminAuthorization</string>
<key>IFPkgFlagDefaultLocation</key>
<string>/usr/local/php5</string>
But the package seems to be a simple directory, at
least I can cd into it in the shell. It contains a
directory called "Contents", which itself contains
Info.plist (a file)
Packages (a directory that seems to contain the
actual content that is installed)
PkgInfo (a (small) file)
Resources (a directory containing some additional
stuff)
You might want to take a look at the
anatomy of a metapackage in the developer section.
I think the package itself can be trusted, as it was
linked from the official PHP homepage.
While the package comes from a reliable source and its contents can be presumed to be safe and the software will run as expected, that does not mean that the installer can't have mistakes such as file ownership errors.
However, I
don't see a way how OS X could find out that this
package is trusted and that the installer can be
granted root privileges - except perhaps by checking
all the things the package wants to to and granting
the installation only if this does not affect other
parts of the system. But I think such a check would
be difficult to implement and error-prone.
The installer was not granted root privileges. It was only granted administrator privileges as you cited --
Jul 26 20:29:39 hostname : Package Authoring Warning: entropy-php.mpkg authorization level is NoAuthorization but was promoted to AdminAuthorization for compatibility, ensure authorization level is sufficient to install. . . .
Jul 26 20:30:18 hostname : admin auth received to install
If root privileges were granted, this line would look something like this exerpt from my computer logs--
Jul 25 18:09:32 mini : Package Authoring Warning: Install xxxxx.mpkg authorization level is NoAuthorization but was promoted to RootAuthorization for compatibility, ensure authorization level is sufficient to install. . . .
Jul 25 18:09:54 mini : admin auth received to install
The other option is that the installer asked my
password when I installed the package for the first
time (unfortunately, I don't remember) and OS X now
"knows" that this installation is "authorized".
It doesn't work that way. If username and password are required for a higher level of authority, you will always be asked for it.
You might want to review what is in your /var/log/install.log for varying examples. This log contains everything that is in the log file you can view when running the installer.
What I did not see (too many packages to rifle scrutinize) is how the installer was able to make a directory in /usr/local without root authorization. I think this might be possible if one of the enclosed packages was set to overwrite permissions. In any event you will probably want to do a recursive chown to set the /usr/local/php5/ directory and its contents to root:wheel. You will probably also want to check for any other directories that were created or where files were installed to see if additional permissions need changing.
Hope this helps somewhat. I am certainly no expert, but I am somewhat familiar with making packages.
Matt
Mac Mini G4; B&W G3/300