I don't know the answer, but I do know that
system("su - user -c /mycode/getcwd $targetdir")
is less secure than
system('su', '-', 'user', '-c', '/mycode/getcwd', $targetdir)
since the arguments are not succeptable to shell interpretation in the latter.