Well, I've written a project named WebRat (http://webrat.hellug.gr) which actually does several scary things on every host it's installed, like adding/removing/modifying users (among others). It isn't the prettiest thing, nor the cleanest code, but it was written for a purpose in that way.

Any way, to cut the long story short, I create a server, which is executed by the root user, it only listens to 127.0.0.1 and then the cgi opens a connection to the server (and localhost of course) and passes in there the request.

The request parsing, security checks etc are done on the CGI, while all the real stuff (like open /etc/passwd, write and save) are performed by the server.

If that doesn't make sense as I present it (sorry about my english by the way :-) , just grab the source and get a look. I think it's a nice approach for that kind of stuff.