From 3d864070cba6dc92a8fdb651440d903fc78bd941 Mon Sep 17 00:00:00 2001
From: Jon Ellis <jellis@iweb.co.uk>
Date: Tue, 7 Jun 2022 22:19:22 +0100
Subject: [PATCH] Check file mode when verifying file to determine whether
 something needs to change

---
 plugins/modules/system/sudoers.py | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/plugins/modules/system/sudoers.py b/plugins/modules/system/sudoers.py
index 9cb07aa085..11f201fbb0 100644
--- a/plugins/modules/system/sudoers.py
+++ b/plugins/modules/system/sudoers.py
@@ -109,13 +109,15 @@ EXAMPLES = '''
 '''
 
 import os
-import subprocess
+import stat
 from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils.common.text.converters import to_native
 
 
 class Sudoers(object):
 
+    FILE_MODE = 0o440
+
     def __init__(self, module):
         self.module = module
 
@@ -137,7 +139,7 @@ class Sudoers(object):
         with open(self.file, 'w') as f:
             f.write(self.content())
 
-        os.chmod(self.file, 0o440)
+        os.chmod(self.file, self.FILE_MODE)
 
     def delete(self):
         if self.check_mode:
@@ -150,7 +152,12 @@ class Sudoers(object):
 
     def matches(self):
         with open(self.file, 'r') as f:
-            return f.read() == self.content()
+            content_matches = f.read() == self.content()
+
+        current_mode = oct(os.stat(self.file).st_mode & 0o777)
+        mode_matches = current_mode == oct(self.FILE_MODE)
+
+        return content_matches and mode_matches
 
     def content(self):
         if self.user: