First and foremost, you need to prevent the intrusions (duh)


Are you running SELinux containers? At least chroot environments for each public daemon?

Use SUID and SGID (carefully) to allow things to read/write where needed without a direct path to root from the user.