diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening
index 8af2b36..b6c2ce4 100755
--- a/usr/lib/security-misc/permission-hardening
+++ b/usr/lib/security-misc/permission-hardening
@@ -91,12 +91,16 @@ set_file_perms() {
 
     fso_without_trailing_slash="${fso%/}"
 
+    ## Use dpkg-statoverride  so permissions are not reset during upgrades.
+
     nosuid=""
     if [ "$mode_from_config" = "nosuid" ]; then
       nosuid="true"
 
       ## If mode_from_config is "nosuid" the config does not set owner and
       ## group. Therefore do not enforce owner/group check.
+
+      add_statoverride_entry
     else
       if ! seq -w 000 4777 | grep -qw "$mode_from_config"; then
          echo "ERROR: Mode '$mode_from_config' is invalid!" >&2
@@ -112,25 +116,27 @@ set_file_perms() {
          echo "ERROR: Group '$group' does not exist!" >&2
          continue
       fi
-    fi
 
-    ## Use dpkg-statoverride  so permissions are not reset during upgrades.
-
-    ## Check there is an entry for the fso.
-    if dpkg-statoverride --list | grep -q "$fso_without_trailing_slash"; then
-      ## There is an fso entry. Check if owner/group/mode match.
-      if ! dpkg-statoverride --list | grep -q "$owner $group $mode_from_config $fso_without_trailing_slash"; then
-        ## The owner/group/mode do not match, therefore remove and re-add the entry to update it.
-        ## fso_without_trailing_slash instead of fso to prevent
-        ## "dpkg-statoverride: warning: stripping trailing /"
-        echo_wrapper dpkg-statoverride --remove "$fso_without_trailing_slash"
+      ## Check there is an entry for the fso.
+      if dpkg-statoverride --list | grep -q "$fso_without_trailing_slash"; then
+        ## There is an fso entry. Check if owner/group/mode match.
+        if ! dpkg-statoverride --list | grep -q "$owner $group $mode_from_config $fso_without_trailing_slash"; then
+          ## The owner/group/mode do not match, therefore remove and re-add the entry to update it.
+          ## fso_without_trailing_slash instead of fso to prevent
+          ## "dpkg-statoverride: warning: stripping trailing /"
+          echo_wrapper dpkg-statoverride --remove "$fso_without_trailing_slash"
+          add_statoverride_entry
+        fi
+      else
+        ## There is no fso entry. Therefore add one.
         add_statoverride_entry
       fi
-    else
-      ## There is no fso entry. Therefore add one.
-      add_statoverride_entry
     fi
 
+
+
+
+
     if [ "$capability" = "" ]; then
       continue
     fi