(#9938) Allow directory sticky-ness to be set

The sticky bit (S_ISVTX) on a directory is used to restrict the
renaming and deletion of its children, typically for world writable
directories where you don't want users to rename/delete other user's
files.

Previously, group and other users could delete files in a directory if
they had write and execute permission on the parent directory.

With this commit, the logic is:

• Securable objects can always be deleted by their owner.

• If the sticky bit is not set, e.g. 00777, then any user/group/other with write and execute permission to the parent directory can delete its children. (The previous behavior)

• If the sticky bit is set, e.g. 01777, then group and other may not delete children for which they are not the owner.

The sticky bit can be set on files, though it doesn't change the
effective permissions on the object.

The state of the sticky bit is stored "out-of-band" in an access
control entry for the 'Nobody' group. This way the state of the sticky
bit can be round-tripped correctly. And as the name implies, no users
are a member of the 'Nobody' group, so no users can be granted or
denied access based on the access mask that its access control entry
contains.