Incorrect modes on files after change

[VorpalBlade]

General description of the problem:

When I file with restricted modes (such as sudoers, shadow, etc) is changed, it ends up word readable. I have to run aconfmgr a second time to get it to detect the incorrect modes and correct it.

Steps to reproduce the problem:

1. Use something like this to modify the sudoers file:

f="$(GetPackageOriginalFile sudo /etc/sudoers)"
sed -i 's/^# \(%wheel ALL=(ALL:ALL) ALL\)$/\1/g' "$f"

2. Make sure that this is correctly applied to the system
3. Change the above sed expression to generate a different line, or add an additional change to the file.
4. Run aconfmgr --skip-checksums -c . apply --paranoid
5. Notice how aconfmgr now made the file world readable.
6. Rerun aconfmgr to get it to fix the mode

Configuration:

f="$(GetPackageOriginalFile sudo /etc/sudoers)"
sed -i 's/^# \(%wheel ALL=(ALL:ALL) ALL\)$/\1/g' "$f"
# Then change the above line to get it to do something different.

Expected result:

The file mode should always be restricted from the package.

Actual result:

The file mode ends up as the default world readable whenever aconfmgr applies a change to the file contents, be it from a change in the config or a change in the source package file (i.e. after an upgrade when pacnew hasn't yet been merged and aconfmgr is executed to update the config instead).

Log:

# On the first run of aconfmgr:

[...]
::: Rescanning...
:::: Examining files...
::::: Loading data...
:::::: Done.
::::: Comparing file data...
[...]
::::: Only in system: /etc/sudoers.pacnew
::::: Changed: /etc/bluetooth/main.conf
::::: Changed: /etc/sudoers
[...]
::::: Done (3 only in system, 2 changed, 5 only in config).
[...]
:: Configuring files...
::: Overwriting 2 changed files.
:::: Proceed? [Y/n/d] d
:::: Overwriting the following changed files:
* /etc/bluetooth/main.conf
* /etc/sudoers
:::: Proceed? [Y/n/d] y
[...]
:::: Overwriting /etc/sudoers...
::::: Proceed? [Y/n/d] d
--- /etc/sudoers	2022-10-08 14:39:46.762892723 +0200
+++ /tmp/aconfmgr-arvid/output/files//etc/sudoers	2023-07-25 10:27:49.169560010 +0200
@@ -59,6 +59,10 @@
 ## Uncomment to use a hard-coded PATH instead of the user's to find commands
 # Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 ##
+## Uncomment to restore the historic behavior where a command is run in
+## the user's own terminal.
+# Defaults !use_pty
+##
 ## Uncomment to send mail if the user does not enter the correct password.
 # Defaults mail_badpass
 ##
::::: Proceed? [Y/n/d] y
:::: Done.
[...]

# Rerun aconfmgr and get:

::: Configuring file properties...
:::: Comparing file properties...
::::: Done.
:::: Found 0 new, 0 changed, and 1 extra files properties.
::::: Proceed? [Y/n/d] d
::::: Clearing the following file properties:
:::::: Setting mode of /etc/sudoers to 440 (default value)
::::: Proceed? [Y/n/d] y
::::: Setting mode of /etc/sudoers to 440 (default value)
::::: Done.
:::: Done.
::: Done.

Additional context:

No response