Just an idea: 1. User applications normally run with the rights given them (DAC) 2. setuid/setgid programs run with the rights of the owner/group (bypassing DAC) 3. sandboxed programs run with the intersected (as in set theory) rights of their user/groups and invoking user/groups. So say we have an account 'bill' with membership in the groups users, audio, video, cdrom, and plugdev... And the account '_firefox' for the Firefox browser (and anything launched thereby), with membership in the groups audio and video. The intersection of the sets of the group memberships is just audio and video. This means that Firefox loses - access to hardware via cdrom and plugdev groups - access to Bill's files by not being the 'bill' user, or a member of 'users' So to run Firefox, Bill would set up the directories it has access to: $ mkdir ~/Downloads ~/.mozilla $ setfacl -m _firefox:rwx ~/Downloads ~/.mozilla $ setfacl -m default:_firefox:rwx ~/Downloads ~/.mozilla Firefox would be able to write to ~/.mozilla and ~/Downloads, and that's it, because only the intersected set of access rights would be respected. Likewise anything spawned by Firefox. Further thoughts: 1. I think this might be doable without ACLs, but I'm not sure. It might hinge on the same directory traversal/absolute path issue that kickboxer ran into. 2. When you get down to it, this is a lot like AppArmor, but less flexible. I'm not sure there's actually a good reason to have something like this... 3. Especially seeing as it would probably require a kernel patch, which defeats the purpose of trying to kludge my way to RBAC without resorting to a custom kernel. But hey, thought experiments are fun.