As Data coming into the script I'd be inclined to validate the username beyond lower-casing. Also I have included character class checking as usually usernames are not allowed to have a number (and possibly underscore too, would have to check that) as the first character. The \W would allow that as the first character.

Performing the untainting prior to calling system validation functions may also prevent badly constructed usernames getting passed through to system in functions such as getpwnam

my $un = shift;
unless( $un ~= s/\A([_A-Za-z][_A-Za-z0-9]+)\Z/$1/ ){
 # Log/Warn(L4/5); #?
 exit &ask_user_to_resubmit_request; 
}
$un = lc($un);
...
unless($<){..}
[download]

I'd likely suggest restricting user removal solely to root, but that is probably fine as long as admin priveleges are in place.

update:splitting the uid check from the user retrieval may even be better. We first see if administrator is calling the script before pulling in and untainting the user supplied data, then call the process body.

#uid check
unless($< == 0){ # Log attempt and exit; 
 }else{ print "Sue! How do you do?\nWe've been rooting for you" }

#untaint and foldcase user data
my $un = shift;
unless( $un ~= s/\A([A-Za-z]\W+)\Z/$1/ ){
 # Log attempt 
 exit &ask_user_to_resubmit_request; 
}
$un = lc($un);

#carry on
if(defined(getpwnam $un)){ .. }
[download]