`dir_ensure` and `file_ensure` do securely create the given path with the given mode.

[thanatos]

When creating potentially sensitive directories, dir_ensure and file_ensure do not create the file with the passed mode; instead, the create it and then chmod it to the appropriate attributes.

For directories, mkdir accepts -m, such as mkdir foo -m 700. For files, the umask can be temporarily changed with (umask 077 && cat >> new_file), though this is a bit more hacky.