admin users are root on OSX client. There isn't a
root user unless you go to specific lengths to enable
it. This seems to match the message that the
installer automatically escalated the privelages.
As far as I understood it, the default admin user is not the root user but can get root privileges by providing his password (and only by providing his password).
For example, try to create a folder in /usr/local with "mkdir test" with your default admin user. It won't work as long as you don't use sudo (which asks for your password).
The only possible security ramification now would be
if a non-admin user could change whatever list or
property is used to sigify "admin" status.
I don't agree. Of course, an unprivileged user gaining admin- or root privileges would be worse. But an installer that is started from an admin (not root) account should not be able to do things that normally would require a password. And as mentioned above, normally you can't create a new folder in /usr/local, and you can't overwrite /etc/sudoers.
Also - it might need to be made known better that by
being an admin - sometimes root things will happen
without the password dialog.
I'm afraid I don't understand the part between the "-" of your sentence. Do you have an example for root things happening without asking for the password?
I for sure was under the
impression that the system wouldn't do "root-like"
things for me unless it asked for a password....
This is what I believed and what would be a "correct" behaviour, imo. Of course, there are system services running with higher privileges, perhaps the installer is one of them. But I think a user with only admin privileges should not be allowed to manipulate these services in a way like the one described here.
And one more general aspect on this: I think Apple's intention using a sudoer instead of a root account and a default user was to let the "normal" user do his daily work with the default account created after the OS X installation. The sudoer concept is, on the one hand, a way to confine the risk of damage, while, on the other, it allows easy system administration without the overhead of an higher privileged account.
This, of course, only works if the concept is implemented correctly and consistently. This is - in my opinion - not the case here.