in reply to
running root command from cgi
I am doing this so they can package the server as a product which allows the not so savvy users to change network configurations.
Um... is allowing users to screw up the method in which they update the server a good idea? Just a thought ;)
I would recommend something like Jasonk is talking about. But to give a few more ideas in the pool.
make a script that will do the actual editing and restart netstart. Using taint mode is an absolute must! Because you're on FreeBSD modifying the config is actually pretty easy. All you need to do is append the delta's to the end of rc.conf, so the relevent information like ip address, mask and such should be pretty easy to check. Make this script SUID root, and make sure that the only thing it will execute is /etc/netstat. Then put this script somewhere safe, that is; somewhere where apache will certainly not be able to see it.
Then make a second script to be the "web interface". Again taint checking is a must. Then use the first script to pass parameters to the second script. Just make sure that you are extremely strict on what input is allowed, and careful in what you write to rc.conf, make sanity checks at both ends and you should be fine.
You can also include files in rc.conf. Which might be a little safer than risking wacking the entire file. Just use the shell include syntax: