tmpfiles: allow prefixing uid/gid/mode with ":" to only apply on creation
    
    In some cases it is useful to specify the access mode/uid/gid for inodes
    we create without also enforcing them on existing inodes. Let's add a
    new flag for that: if the uid/gid/mode specificaitons are prefixed with
    ":", then they only apply to creation, not otherwise.
    
    This is specifically useful for provisioning SSH keys later. Those we'd
    like to provision like this:
    
    <snip>
    d /root :0700 root root -
    d /root/.ssh :0700 root root -
    f^ /root/.ssh/authorized_keys - - - - ssh.authorized_keys
    </snip>
    
    While /root/ + /root/.ssh/ being owned by root is pretty uncontroversial
    the access mode of /root/ and /root/.ssh/ might not be. Hence we should
    only have a default mode defined that is used when we create the dir,
    but not otherwise.