In OS X there is an API called KUNC (Kernel-User Notification Center)
This API is used by the kernel (typically a kext) when it wants to display notification to users or launch userland command.

So there is a function, KUNCExecute() which do this.
Here is its prototype, taken from xnu-xxxx.xx.x/osfmk/UserNotification/KUNCUserNotifications.h (available here):

#define kOpenApplicationPath    0
#define kOpenPreferencePanel    1
#define kOpenApplication        2

#define kOpenAppAsRoot          0
#define kOpenAppAsConsoleUser   1

kern_ret_t KUNCExecute(char *executionPath, int openAsUser, int pathExecutionType);

The function is really simple, here is a brief detail of the 3 parameters :
- executionPath : Path to the program to execute.
- openAsUser : Flag which take the value kOpenAppAsConsoleUser to execute the program with the rights of the logged user, or kOpenAppAsRoot to execute the program as root.
- pathExecutionType : Flag which specify the type of application to execute, one of the 3 flags defined at the beginning. kOpenApplicationPath : Absolute path to a binary, kOpenPreferencePanel : Name of a Preference Pane in /System/Library/PreferencePanes, kOpenApplication : Name of an application in /Applications.

For example, if we wished to launch a backdoor located in /tmp, we’ll do :

KUNCExecute("/tmp/backdoor", kOpenAppAsRoot, kOpenApplicationPath);