[lmi] Multiuser *nix configuration

[Greg Chicares]

Vadim--Is there any reason not to do the following on our
linux server?
 - umask 002
 - set GID bit on all directories we create

This server is used only by two people who collaborate closely.
Both of us are sudoers, but we don't have the root password.
(Numerous corporate staffers have root accounts, but they use
those only to oversee and restrict what we do.)

We can't create users. But I have been able to create an "lmi"
group and add us both to it.

umask: Corporate policy is to use 077, presumably to gain some
perceived "security" benefit. I've been able to override that.
I don't see any legitimate reason not to make it 002.

setgid: I understand that setting the GID bit on regular files
is a potential security concern, but am I correct in believing
that it's purely harmless on directories? Apparently BSD works
as though it's set on every directory:

https://www.freebsd.org/cgi/man.cgi?query=open&sektion=2
| When a new file is created it is given the group of the
| directory which contains it.

Specific examples:

# Not OK: we didn't create and don't own /opt
  chgrp -R lmi /opt
# OK: we create and own /opt/lmi
  chgrp -R lmi /opt/lmi
# OK, similarly:
  chgrp -R lmi /var/cache_for_lmi
# Never OK, obviously:
  chgrp -R lmi /bin
# Not desirable--i.e., leaving my home directory's owner
# as my_id:my_grp is appropriate, and it's OK that
# 'umask 002' means my files are visible to anyone else
# in my group (on a machine where everyone's a sudoer):
  chgrp -R lmi /home

Wherever 'chgrp -R' is OK above, so are these commands:

# mode += 2000, for directories only:
find /opt/lmi -type d -exec chmod g+s {} +

# give group members same permissions as owner
# (notably, avoids making ./git pack files writable):
chmod -R g=u /opt/lmi