I had a thought on this....

It seems you are trying to provide the "floppy model" that users
currently have with their PCs.

User A writes the floppy,  User B can read it and do whatever he 
wants...

(I know this is Apple - but I'll stick to MSDOS for the discussion,
and "floppy" indicates any removable media.)

The reason for this is that MSDOS filesystems don't keep any
user credentials.   So, use  B can read anything on any floppy
he can find.

Wouldn't creating a file system that didn't support user
credentials solve your problem?   Format the floppy in that
file system and hand it to user B.   When user B mounts it,
he can do whatever he wants.   User A is aware of how the
floppy was created, as presumably some special step is
required to create the "discard credential" file system
on the floppy.   

Perhaps, such a file system could even be a UFS with a 
special marker somewhere?   Then, this marker could be "twiddled" 
after the fact.   For example,  user A formats and makes
a new UFS file system on the floppy, and copies the files
over.   Marks it as having no credentials (twiddles the bit)
and hands it to user B.   User B mounts it, with a regular
UFS mount - but because the magic bit is "twiddled" GID
and UID are ???  (here's where things break down, just what
do you use for those?  root/nobody/user's gid&uid?)

Just some thoughts...

	- Dave Rivers -