The only missing feature is: if suid / sgid was already removed during a previous run of the service and the user adds it to exactwhitelist of machwhitelist after that, it will not be re-enabled suid / sgid.
An easy fix would be to tell users “boot into admin mode”, run
/usr/lib/security-misc/permission-hardening-undo and reboot. But this is a bit unsafe if other services are already started. “boot into admin mode” should probably mean “don’t start any services such as web services”? Will discuss in multiple boot modes for better security: persistent + root | persistent + noroot | live + root | live + noroot
We could auto-restore permissions for later added whitelist entries since permission before change are recorded in
if [ "$mode_from_config" = "exactwhitelist" ]; then
/var/lib/permission-hardening/existing_mode. Same for
if [ "$mode_from_config" = "matchwhitelist" ]; then
But not sure if worth the effort.