Draft: Standardize file permissions

Gitaly is using a wide variety of different file permissions. This is unnecessarily complicated, and we're granting wider access than necessary.

• Files should not be written into after they've been created. This will break snapshot isolation of transactions as the files are shared between different snapshots. Files should always be replaced in a copy-on-write fashion by creating a new file, and replacing the old directory entry with the new one. This means no one needs write permissions on the files in the storage, not even the user executing Gitaly.
• Gitaly's storage should be only accessible by Gitaly. Access to the data is only guaranteed to be consistent through the API. If there's a WAL entry application in progress, repositories and other data in the storage could be inconsistent and look corrupted. Only the user executing Gitaly should be able to read the storage.
• Internal temporary and cache files have little reason to be usable by anyone except Gitaly.

This MR applies the above logic on all file permissions and removes the unused permissions. The only files that Gitaly writes out that continue to be readable outside of Gitaly for now are log files.