diff --git a/deploy/files/usr/local/libexec/left4me/left4me-script-sandbox b/deploy/files/usr/local/libexec/left4me/left4me-script-sandbox
index c216f56..e331607 100755
--- a/deploy/files/usr/local/libexec/left4me/left4me-script-sandbox
+++ b/deploy/files/usr/local/libexec/left4me/left4me-script-sandbox
@@ -42,9 +42,11 @@ fi
 chown -R l4d2-sandbox:l4d2-sandbox "$OVERLAY_DIR"
 chmod 0755 "$OVERLAY_DIR"
 
-exec systemd-run --quiet --collect --wait --pipe \
+SCRIPT_RC=0
+systemd-run --quiet --collect --wait --pipe \
     --unit="left4me-script-${OVERLAY_ID}-$$" \
     -p User=l4d2-sandbox -p Group=l4d2-sandbox \
+    -p UMask=0022 \
     -p NoNewPrivileges=yes \
     -p ProtectSystem=strict -p ProtectHome=yes \
     -p PrivateTmp=yes -p PrivateDevices=yes -p PrivateIPC=yes \
@@ -65,4 +67,14 @@ exec systemd-run --quiet --collect --wait --pipe \
     -p Environment="HOME=/tmp PATH=/usr/bin:/usr/sbin OVERLAY=/overlay" \
     -p MemoryMax=4G -p MemorySwapMax=0 -p TasksMax=512 \
     -p CPUQuota=200% -p RuntimeMaxSec=3600 \
-    -- /bin/bash /script.sh
+    -- /bin/bash /script.sh || SCRIPT_RC=$?
+
+# Normalize perms so the web service (left4me uid) can read overlay files
+# directly via Python open() — needed by the file tree's download endpoint.
+# UMask=0022 above takes care of *new* writes; this catches anything the
+# script created with a tighter mode (e.g. cedapug_maps writes its
+# .cedapug/manifest.tsv as 0600 by default).
+find "$OVERLAY_DIR" -type f ! -perm -o+r -exec chmod o+r {} + 2>/dev/null || true
+find "$OVERLAY_DIR" -type d ! -perm -o+rx -exec chmod o+rx {} + 2>/dev/null || true
+
+exit $SCRIPT_RC