The "old-school" way of doing this - and this approach is still perfectly good, assuming you haven't done anything strange with the "mount" command for your current partition - is to create a compiled program that does just that one thing (i.e., start ntpd) and is set as 'chown root:www-data myprog; chmod 4750 myprog' - meaning that only users belonging to group 'www-data' (or the root user) could execute it, and that it was run as root (SUID). Then, that program is executed by the CGI program as appropriate. This is fairly secure, and works well.