Having the entire Web server run as root sounds dangerous. Instead, consider creating small SetUID helper programs, executable only by the Web server, to do the tasks requiring special priveleges. If you're rolling your own daemon with HTTP::Daemon, make sure you do everything in taint mode, and throughout development think about things that malicious users could do to take control of the machine.