You have better part of the solution figured out, the only thing left to do is correct permissions for things created by root. There are at least two approaches
You can modify the root-side process to call
chmodafter modifying a file. I do not think it is applicable to your case, because then you'd probably just callchownandchmodand didn't set up sgid directory.You can modify
umaskfor the root process. I think it would be better to modify umask just for this process, not for root environment, because sometimes root touches files other users shouldn't mess with, and it's usually better to remember to open access than to close gaps. Therefore, you could addumask 0007in front of call to the binary that runs as root.
