This doesn’t work properly for some reason. Some SUID binaries still exist.
root@host:/usr/lib/security-misc# find / -perm /4000 -user root 2>/dev/null
/bin/umount
/bin/mount
/bin/su
/usr/bin/sudo
/usr/bin/firejail
/usr/bin/gpasswd
/usr/bin/bwrap
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/pkexec.security-misc-orig
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
root@host:/usr/lib/security-misc#
Some directories like /usr/local/lib/python2.7/site-packages are SGID and removing that might break things.
When executing the script I also get some errors but they don’t seem important.
root@host:/usr/lib/security-misc# ./permission-hardening
dpkg-statoverride: warning: stripping trailing /
dpkg-statoverride: warning: no override present
dpkg-statoverride: warning: stripping trailing /
dpkg-statoverride: warning: no override present
suid - file_name: '/usr/bin/sudo' | existing_mode: '4755'
dpkg-statoverride: warning: stripping trailing /
dpkg-statoverride: warning: no override present
dpkg-statoverride: warning: stripping trailing /
dpkg-statoverride: warning: no override present
ERROR: File '/lib32/' does not exist!
dpkg-statoverride: warning: stripping trailing /
dpkg-statoverride: warning: no override present
ERROR: File '/usr/lib32/' does not exist!
ERROR: File '/usr/lib64/' does not exist!
dpkg-statoverride: warning: stripping trailing /
dpkg-statoverride: warning: no override present
ERROR: File '/usr/local/lib32/' does not exist!
ERROR: File '/usr/local/lib64/' does not exist!
stat: cannot stat '/usr/bin/bwrap/**': Not a directory
stat: cannot stat '/usr/lib/policykit-1/polkit-agent-helper-1/**': Not a directory
stat: cannot stat '/usr/lib/dbus-1.0/dbus-daemon-launch-helper/**': Not a directory
root@host:/usr/lib/security-misc#