Apport currently provides a very useful attach_conffiles() function that "Attaches information about any modified or deleted conffiles" for a specified package.
However, if this function is called by an apport hook as a non-root user and if the package being queried contains any conffiles which are not readable by a non-root user, an IOError exception is generated.
This can be dealt with by catching the exception in the apport hook, but it has the side-effect of stopping an apport hook detecting reliably whether any of a packages conffiles have been modified whereas it should be possible to atleast check those conffiles the user does have read permission for.
Ideally, get_modified_conffiles() would handle the IOError exception and mark the unreadable conffiles in some way, but crucially handle the conffiles the user can read as expected.
I guess an alternative solution to this would be to catch the IOError and have apport invoke pkexec to read the files?