The only missing feature is: if suid / sgid was already removed during a previous run of the service and the user adds it to exactwhitelist of machwhitelist after that, it will not be re-enabled suid / sgid.
An easy fix would be to tell users “boot into admin mode”, run /usr/lib/security-misc/permission-hardening-undo and reboot. But this is a bit unsafe if other services are already started. “boot into admin mode” should probably mean “don’t start any services such as web services”? Will discuss in multiple boot modes for better security: persistent user | live user | persistent secureadmin | persistent superadmin | persistent recovery mode
We could auto-restore permissions for later added whitelist entries since permission before change are recorded in /var/lib/permission-hardening/existing_mode.
if [ "$mode_from_config" = "exactwhitelist" ]; then
could check /var/lib/permission-hardening/existing_mode. Same for
if [ "$mode_from_config" = "matchwhitelist" ]; then
But not sure if worth the effort.