Sudo can do this sort of thing for you. It's an executable so you'd need to use system or backticks to run it.

You'd need to split your logic so that the user interface is handled by the CGI script and updating the config file is handled by another script ('Script-B'). Then you'd configure the sudoers file to allow the anonymous web user (typically 'apache' or 'nobody') to run Script-B under another the user's real user id (with no password prompt and no lecture). Details of the required change would be passed to Script-B via the command line or STDIN. This assumes you've authenticated the user somehow before you proceed with the update.

Sudo itself is a setuid-root program but I believe it is well audited code - it's certainly widely used and has been for years.