Matchhostfsowner executes external commands in order to perform certain operations. For example it executes "readlink". However, the user can abuse this by setting PATH to a location that contains arbitrary executables, that are then executed by matchhostfsowner with root privileges.

We should reset PATH to a safe default, restoring it only after having dropped privileges.