So since 2004 #FreeBSD has a security system called "ugidfw" or "firewall-like access controls for file system objects" where you apply firewall like rules to permit or deny uid:gid to specific directories or files.

For example I could say:
add subject uid 22 gid 22 object uid 0 gid 0 filesys / type r mode r;

and then SSHD could only ever be able read regular files owned by root:wheel but never write them, etc.

It's a great way to detect with applications are trying to do strange things with permissions you are not expecting.

But it is a huge pain to debug problems, there are basically no guides or how-to examples. I keep meaning to write something up, but before I do is anyone aware of or interested in ugidfw?