I've set up a DAC sandbox for Firefox - just an extra limited user account, in its own group (and no other groups). I'd like to be able to create and delete files in the sandbox user's home, i.e. permissions o=rw. But I would like to do that on a global basis - from /etc/profile or such, not from the user's home directory. Furthermore I would like to make the sandbox user unable to change its own umask. Is this possible?