Consider more restrictive file permissions for the DirectoryStore

[JayH5]

It seems to be common practice to store certificates or the directories that contain them with restrictive file permissions (e.g. 0600).

The official certbot client seems to do this (or did when I last checked), although in most cases certbot is run as root, whereas that may not be the case for txacme.

[mithrandi]

The certs directory for DirectoryStore is meant to already exist, so I think the permissions of it are the responsibility of the user since they're creating it.

Unfortunately setting the permissions of the individual files in the store is a tricky business; if we set the permissions after writing the file, there is a window of time where the file has whatever permissions it got via umask since we haven't changed them yet. If we change the umask, then we screw up the permissions of any file opened in a different thread at the same time. Ugh :(

[mithrandi]

FWIW what I wrote here before is wrong; open(2) allows passing a file mode, so we can leverage this via io.open(os.open(path, O_TRUNC, mode), 'w') or some such, but it's a bit of a mess since we can't use FilePath to do this for us anymore. Also, this is POSIX-specific.