- As "user", create a directory /home/user/a and 
  chmod it to permissions 777
- Make a CGI script that when run creates a subdirectory
  /home/user/a/cgi_work with permissions 777 again
- As "user", move that directory from /home/user/a/cgi_work
  to /home/user/cgi_work
- As "user" remove the now empty directory /home/user/a
  (well, since it existed without protections for a bit of
  time, someone else can have snuck stuff into it in the
  mean time. Scream loudly to the admin and/or that person
  in that case)
- Make yet another CGI script that changes the 
  permissions of /home/user/cgi_work to something 
  sane again (probably 755).
- Make sure /home/user/cgi_work is empty 
  (otherwise repeat the scream ploy)