(#11563) Only rewrite the DACL if the mode changes
Previously, the owner, group, mode getter and setter methods each managed their
part of the security descriptor. This lead to similar, but slightly different
methods, such as GetSecurityInfo being invoked once to get the owner, and
another time to get the dacl.
This commits adds methods for getting and setting the security descriptor,
and updates the owner/group/mode methods to call it. This eliminated duplicate
logic many places, e.g. change_sid, get_sid, set_acl, get_dacl, get_dacl_ptr,
get_security_info, and set_security_info.
This commit also means that if you change the owner and/or group, but not mode,
then the security descriptor will not be marked as protected, and the DACL
will not be rewritten. In other words, puppet won't mess up your file
permissions.
Only if you choose to manage the mode will puppet mark the SD as protected and
rewrite the DACL based on the security descriptors owner/group and specified
mode.