R – Capistrano + thin + nginx with user not allowed to sudo howto

I have a scenario like this which I want to use capistrano to deploy my ruby on rails application:

1. The web application is on a thin cluster with the config file stored under /etc/thin. also an init script is in /etc/init.d/thin, so it would start automatically whenever my server needs a reboot
2. Also nginx is executed the same way (as an init script daemon)
3. To make sure in case if somebody hacked my webserver I don't want them to do something too horrible, so the web user is not allowed to sudo.
4. Thin and nginx both runs as the webuser to enforce such security

Now when I need to do the deployment, I would need the files to be installed under /home/webuser/railsapps/helloworld, and I need the cap script restart my thin afterwards. I want to keep all files owned by the webuser, so the cap script primary user is running as webuser. Now the problem arise when I want to restart the thin daemon because webuser can't sudo.

I am thinking if its possible to invoke two separate sessions- webuser for file deployment, and then a special sudoer to restart the daemon. Can anyone give me a sample script on this?