One way to do this is to write a small server which runs as root, and takes a username, password, and information about what the user would like to do. It can then authenticate the user and decide what action to take, and finally communicate back the result. If you use a program like checkpassword to do the authentication, then only that program will run as root, and it's very well-audited and likely to be secure.

This is often safer than a SetUID CGI script because it's better isolated from the Web server.