How can I set up a filesystem directory to *always* be group writable?

Question

I have a Linux file server with some shared directories. These directories are sometimes accessed over SFTP, and sometimes by users with shells. Regardless of how these directories are accessed, I would like to ensure that:

1. all files in the shared directory are always readable and writable by all users in the "fileserver" group (the moral equivalent of g+rw)
2. all directories in the shared directory are always traversable by all users in the "fileserver" group (the moral equivalent of g+x)
3. all files in the shared directory are never executable by anyone (the moral equivalent of g-x)

I have a vague recollection that I've done this before with setfacl but I am not sure how.

Answer 1

The closest that I've come here is:

$ chown fileserver:fileserver . -R
$ find . -type f -print -exec chmod a-x '{}' ';'
$ find . -type d -print -exec chmod u+x '{}' ';'
$ find . -type d -print -exec chmod g+xs '{}' ';'
$ cat facls
user::rwx
group::rwx
other::r-x
default:user::rwx
default:user:fileserver:rwx
default:group::rwx
default:group:fileserver:rwx
default:mask::rwx
default:other::r-x
$ setfacl -M facls -R .

and it seems to do the right thing with respect to accidentally overly-strict umasks on processes writing to this directory, but it still gives users the ability to chmod files that they've created and thereby restrict their permissions.

The key problem with this solution is that the files are still owned by whoever created them, and the file owner has irrevocable permission to modify permissions. On BSD-derived systems, it seems you can fix this with a setuid directory (which causes all files created in that directory to be owned by the owner of the directory); however, Linux only has this behavior for setgid.