Well, thanks to everyone who commented. I thought I'd fill you all in on my progress since I posted the question:

• I still find it faintly implausible that no-one's made a DAV-based replacement for ftpd, which makes me think that I'm either missing something about DAV which makes it utterly unsuitable for the job, or I've been searching in the wrong places. Oh well, it's a learning project.
• Right now I have: a root-owned process which accepts connections and spawns a child which looks for basic authentication. The child then bottles out or drops privileges to said user, fires up a Net::DAV::Server and starts serving requests from ~user. It works with cadaver and Windows Web Folders. Security-wise, the root-owned process is still doing far too much work, but at least the file serving aspects are done with the right privileges.
• Net::DAV::Server is an 80% solution for the protocol aspects. I have made some changes to it which I may send back to the author, although he does mention that he's working on it.
• Authen::SimplePam provides a great way of checking system users without having to know too much about PAM. Seriously, if I'd had to start understanding PAM as well, I probably wouldn't have got the job done. Thanks to jaldhar and DrHyde for confirming that PAM was the way to go.
• Thanks to roju, I am now adding privsep, although it does add to the complexity of the code overall. But hey, better a few hours now than a compromise somewhere down the line, eh kids?
• Permanently dropping privileges in Perl seems to be non-trivial on platforms that have a "saved UID". For this reason I am using the (experimental) Proc::UID. I get a better feeling from that than simply setting $< and $> but it is very much prerelease. Any clarification on this subject would be welcome: I'm still researching.
• The future will include: proper privsep; more general user authentication; HTTPS (a must).