This has two parts.
First, sudo, which ubuntu encourages using rather than su. Sudo can
be set up to allow users to do just some things as root rather than
everything, by editing the file /etc/sudoers.
Second, various Ubuntu programs that run as root. Some expect that
the user's $PATH starts with /sbin and /usr/sbin, and run programs
without specifying the complete file name.
If a user has limited sudoers privileges, then various
Ubuntu-supplied programs can often be tricked into granting the user
complete root access.
sudo apt-get install firefox will run either ldconfig
or start-stop-daemon (I forget). Not every package has this problem, but
many enough to make it a FAQ.
I feel sure that whoever reports this will be told by the sudoers
maintainers that the problem is with e.g. apt-get, and by the apt-get
people that the problem is with sudoers. Both are reasonable
responses, but I'd rather write code than argue. So all I'll do is