Merge branch 'master' of https://github.com/netblue30/firejail

30 files changed, 313 insertions, 46 deletions

diff --git a/Makefile.in b/Makefile.in
index 2d73daa46..135b0a37c 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,7 +1,7 @@
 all: apps man filters
 MYLIBS = src/lib
 APPS = src/firejail src/firemon src/fsec-print src/fsec-optimize src/firecfg src/fnetfilter src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fbuilder src/fcopy src/fldd src/libpostexecseccomp
-MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5
+MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5
 SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.64 seccomp.block_secondary seccomp.mdwx
 
 prefix=@prefix@
diff --git a/README b/README
index 4f9bba945..e6f8d935b 100644
--- a/README
+++ b/README
@@ -248,6 +248,9 @@ glitsj16 (https://github.com/glitsj16)
         - evince-previewer, evince-thumbnailer profiles
         - gnome-recipes, gnome-logs profiles
         - fixed private-lib for gnome-calculator
+        - gunzip, bunzip2 profiles
+        - enchant, enchat-2, enchant-lsmod, enchant-lsmod-2 profiles
+        - atool, soundconvertor, mpd, gnome-calculator, makepkg profile fixes
 graywolf (https://github.com/graywolf)
         - spelling fix
 greigdp (https://github.com/greigdp)
diff --git a/README.md b/README.md
index a464c2c09..c2c19d824 100644
--- a/README.md
+++ b/README.md
@@ -98,6 +98,57 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir
 `````
 # Current development version: 0.9.53
 
+## Firejail user access database
+`````
+$ man firejail-users
+FIREJAIL-USERS(5)          firejail.users man page          FIREJAIL-USERS(5)
+
+NAME
+       firejail.users - Firejail user access database
+
+DESCRIPTION
+       /etc/firejail/firejail.users  lists  the users allowed to run firejail
+       SUID executable.  If the file is not present in the system, all  users
+       are allowed to use the sandbox.  root user is allowed by default.
+
+       Example:
+
+            $ cat /etc/firejail/firejail.users
+            dustin
+            lucas
+            mike
+            eleven
+
+       Use  a  text editor to add or remove users from the list. You can also
+       use firecfg --add-users command. Example:
+
+            $ sudo firecfg --add-users dustin lucas mike eleven
+
+       By default, running firecfg creates the file and adds the current user
+       to the list. Example:
+
+            $ sudo firecfg
+
+       See man 1 firecfg for details.
+
+FILES
+       /etc/firejail/firejail.users
+
+LICENSE
+       Firejail  is  free  software; you can redistribute it and/or modify it
+       under the terms of the GNU General Public License as published by  the
+       Free Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+       Homepage: https://firejail.wordpress.com
+
+SEE ALSO
+       firejail(1),  firemon(1),  firecfg(1),  firejail-profile(5)  firejail-
+       login(5)
+
+0.9.53                             Apr 2018                 FIREJAIL-USERS(5)
+`````
+
 ## Spectre mitigation
 
 If your gcc compiler version supports it, -mindirect-branch=thunk is inserted into EXTRA_CFLAGS during software configuration.
@@ -155,6 +206,14 @@ This feature is also supported for LLVM/clang compiler
 
               Example:
               $ firejail --nodbus --net=none
+
+       --noautopulse
+              Disable automatic ~/.config/pulse init, for complex setups such
+              as remote pulse servers or non-standard socket paths.
+
+              Example:
+              $ firejail --noautopulse firefox
+
 `````
 
 ## AppImage development
@@ -308,4 +367,5 @@ Basilisk browser, Tor Browser language packs, PlayOnLinux, sylpheed, discord-can
 pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain,
 tilp, vivaldi-snapshot, bitcoin-qt, VS Code, falkon, gnome-builder, lobase, asunder,
 gnome-recipes, akonadi_control, evince-previewer, evince-thumbnailer, blender-2.8,
-thunderbird-beta, ncdu, gnome-logs, gcloud, musixmatch
+thunderbird-beta, ncdu, gnome-logs, gcloud, musixmatch, gunzip, bunzip2,
+enchant, enchant-2, enchant-lsmod, enchant-lsmod-2
diff --git a/RELNOTES b/RELNOTES
index 9f63610e6..87b3f3780 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -13,6 +13,8 @@ firejail (0.9.53) baseline; urgency=low
      firefox-common-addons.inc in firefox-common.profile.
   * modif: split disable-devel.inc into disable-devel and
      disable-interpreters.inc
+  * Firejail user access database (/etc/firejail/firejail.users,
+     man firejail-users)
   * add --noautopulse to disable automatic ~/.config/pulse (for complex setups)
   * Spectre mitigation patch for gcc and clang compiler
   * D-Bus handling (--nodbus)
@@ -36,7 +38,8 @@ firejail (0.9.53) baseline; urgency=low
   * new profiles: falkon, gnome-builder, asunder, VS Code, gnome-recipes
   * new profiles: akonadi_controle, evince-previewer, evince-thumbnailer,
   * new profiles: blender-2.8, thunderbird-beta, ncdu, gnome-logs, gcloud
-  * new profiles: musixmatch
+  * new profiles: musixmatch, gunzip, bunzip2, enchant-lsmod, enchant-lsmod-2
+  * new profiles: enchant, enchant-2
  -- netblue30 <netblue30@yahoo.com>  Thu, 1 Mar 2018 08:00:00 -0500
 
 firejail (0.9.52) baseline; urgency=low
diff --git a/etc/akonadi_control.profile b/etc/akonadi_control.profile
index 11474fdc3..0cbe306e8 100644
--- a/etc/akonadi_control.profile
+++ b/etc/akonadi_control.profile
@@ -34,8 +34,8 @@ include /etc/firejail/whitelist-var-common.inc
 # apparmor
 caps.drop all
 ipc-namespace
-no3d
 netfilter
+no3d
 nodvd
 nogroups
 # nonewprivs
diff --git a/etc/akregator.profile b/etc/akregator.profile
index 19da62916..1b8807757 100644
--- a/etc/akregator.profile
+++ b/etc/akregator.profile
@@ -20,7 +20,6 @@ whitelist ${HOME}/.config/akregatorrc
 whitelist ${HOME}/.local/share/akregator
 whitelist ${HOME}/.local/share/kssl
 include /etc/firejail/whitelist-common.inc
-
 include /etc/firejail/whitelist-var-common.inc
 
 caps.drop all
@@ -33,7 +32,8 @@ noroot
 notv
 novideo
 protocol unix,inet,inet6,netlink
-seccomp
+# chroot syscalls are needed for setting up the built-in sandbox
+seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 shell none
 
 disable-mnt
diff --git a/etc/atool.profile b/etc/atool.profile
index e21d352b4..83b681437 100644
--- a/etc/atool.profile
+++ b/etc/atool.profile
@@ -38,5 +38,5 @@ tracelog
 
 # private-bin atool
 private-dev
-private-etc none
+private-etc passwd,group
 private-tmp
diff --git a/etc/basilisk.profile b/etc/basilisk.profile
index ac7f30c04..43ba5adcb 100644
--- a/etc/basilisk.profile
+++ b/etc/basilisk.profile
@@ -14,6 +14,10 @@ whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/moonchild productions/basilisk
 whitelist ${HOME}/.moonchild productions
 
+# Basilisk can use the full firejail seccomp filter (unlike firefox >= 60)
+ignore seccomp.drop
+seccomp
+
 #private-bin basilisk
 # private-etc must first be enabled in firefox-common.profile
 #private-etc basilisk
diff --git a/etc/bunzip2.profile b/etc/bunzip2.profile
new file mode 100644
index 000000000..f483a1d3d
--- /dev/null
+++ b/etc/bunzip2.profile
@@ -0,0 +1,9 @@
+# Firejail profile for bunzip2
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/bunzip2.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+# Redirect
+include /etc/firejail/gzip.profile
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index f7cc1ce94..b68dde0c4 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -205,6 +205,7 @@ blacklist ${HOME}/.config/smplayer
 blacklist ${HOME}/.config/smtube
 blacklist ${HOME}/.config/specialmailcollectionsrc
 blacklist ${HOME}/.config/spotify
+blacklist ${HOME}/.config/sqlitebrowser
 blacklist ${HOME}/.config/stellarium
 blacklist ${HOME}/.config/synfig
 blacklist ${HOME}/.config/telepathy-account-widgets
@@ -440,6 +441,8 @@ blacklist ${HOME}/.mcabber
 blacklist ${HOME}/.mcabberrc
 blacklist ${HOME}/.mediathek3
 blacklist ${HOME}/.minetest
+blacklist ${HOME}/.moonchild productions/basilisk
+blacklist ${HOME}/.moonchild productions/pale moon
 blacklist ${HOME}/.mozilla
 blacklist ${HOME}/.mpd
 blacklist ${HOME}/.mpdconf
@@ -555,6 +558,7 @@ blacklist ${HOME}/.cache/kwin
 blacklist ${HOME}/.cache/libgweather
 blacklist ${HOME}/.cache/liferea
 blacklist ${HOME}/.cache/midori
+blacklist ${HOME}/.cache/moonchild productions/basilisk
 blacklist ${HOME}/.cache/moonchild productions/pale moon
 blacklist ${HOME}/.cache/mozilla
 blacklist ${HOME}/.cache/mutt
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile
index 3fe83eda0..9ebcdba6c 100644
--- a/etc/firefox-common.profile
+++ b/etc/firefox-common.profile
@@ -33,7 +33,7 @@ nonewprivs
 noroot
 notv
 protocol unix,inet,inet6,netlink
-seccomp
+seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 shell none
 tracelog
 
diff --git a/etc/firejail-default b/etc/firejail-default
index 5d116fbbc..ad3fdd718 100644
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -72,6 +72,7 @@ owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk,
 ##########
 /proc/ r,
 /proc/** r,
+owner /proc/[0-9]*/{uid_map,gid_map,setgroups} w,
 # Uncomment to silence all denied write warnings
 #deny /proc/** w,
 deny /proc/@{PID}/oom_adj w,
diff --git a/etc/gunzip.profile b/etc/gunzip.profile
new file mode 100644
index 000000000..8ea523df7
--- /dev/null
+++ b/etc/gunzip.profile
@@ -0,0 +1,9 @@
+# Firejail profile for gunzip
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/gunzip.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+# Redirect
+include /etc/firejail/gzip.profile
diff --git a/etc/palemoon.profile b/etc/palemoon.profile
index ff7087e55..1104acff4 100644
--- a/etc/palemoon.profile
+++ b/etc/palemoon.profile
@@ -13,6 +13,10 @@ mkdir ${HOME}/.moonchild productions
 whitelist ${HOME}/.cache/moonchild productions/pale moon
 whitelist ${HOME}/.moonchild productions
 
+# Palemoon can use the full firejail seccomp filter (unlike firefox >= 60)
+ignore seccomp.drop
+seccomp
+
 #private-bin palemoon
 # private-etc must first be enabled in firefox-common.profile
 #private-etc palemoon
diff --git a/etc/soundconverter.profile b/etc/soundconverter.profile
index 944417083..3d231cf5b 100644
--- a/etc/soundconverter.profile
+++ b/etc/soundconverter.profile
@@ -5,6 +5,12 @@ include /etc/firejail/soundconverter.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+# Allow python (blacklisted by disable-interpreters.inc)
+noblacklist ${PATH}/python2*
+noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python2*
+noblacklist /usr/lib/python3*
+
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-interpreters.inc
diff --git a/etc/sqlitebrowser.profile b/etc/sqlitebrowser.profile
index 4c473a9ad..9711276c8 100644
--- a/etc/sqlitebrowser.profile
+++ b/etc/sqlitebrowser.profile
@@ -32,6 +32,6 @@ private-bin sqlitebrowser
 private-dev
 private-tmp
 
-memory-deny-write-execute
+# memory-deny-write-execute - breaks on Arch
 noexec ${HOME}
 noexec /tmp
diff --git a/platform/rpm/firejail.spec b/platform/rpm/firejail.spec
index 94e5d60eb..9fe35e528 100644
--- a/platform/rpm/firejail.spec
+++ b/platform/rpm/firejail.spec
@@ -45,4 +45,5 @@ rm -rf %{buildroot}
 %{_mandir}/man1/firemon.1.gz
 %{_mandir}/man5/__NAME__-login.5.gz
 %{_mandir}/man5/__NAME__-profile.5.gz
+%{_mandir}/man5/__NAME__-users.5.gz
 %config %{_sysconfdir}/__NAME__
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index f8e0f3bc7..e34ac786c 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -431,6 +431,8 @@ xonotic-glx
 xonotic-sdl
 xpdf
 xplayer
+xplayer-audio-preview
+xplayer-video-thumbnailer
 xpra
 xreader
 xreader-previewer
diff --git a/src/firecfg/main.c b/src/firecfg/main.c
index a54607aec..b79053d3e 100644
--- a/src/firecfg/main.c
+++ b/src/firecfg/main.c
@@ -30,7 +30,7 @@ static char *usage_str =
         "The symbolic links are placed in /usr/local/bin. For more information, see\n"
         "DESKTOP INTEGRATION section in man 1 firejail.\n\n"
         "Usage: firecfg [OPTIONS]\n\n"
-        "   --add-users user [user] - add the users to Firejail access database\n"
+        "   --add-users user [user] - add the users to Firejail user access database.\n\n"
         "   --clean - remove all firejail symbolic links.\n\n"
         "   --debug - print debug messages.\n\n"
         "   --fix - fix .desktop files.\n\n"
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index d6c39260b..4fd11ab4f 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -778,6 +778,7 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
 #define PATH_FIREJAIL (PREFIX "/bin/firejail")
 #define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp")
 #define PATH_FSEC_PRINT (LIBDIR "/firejail/fsec-print")
+#define PATH_FSEC_OPTIMIZE (LIBDIR "/firejail/fsec-optimize")
 #define PATH_FCOPY (LIBDIR "/firejail/fcopy")
 #define SBOX_STDIN_FILE "/run/firejail/mnt/sbox_stdin"
 #define PATH_FLDD (LIBDIR "/firejail/fldd")
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 1e60b6477..709ce96b6 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -1022,19 +1022,17 @@ int sandbox(void* sandbox_arg) {
 #endif
 
         //****************************************
-        // drop privileges or create a new user namespace
+        // create a new user namespace
+        //     - too early to drop privileges
         //****************************************
         save_nogroups();
         if (arg_noroot) {
                 int rv = unshare(CLONE_NEWUSER);
                 if (rv == -1) {
                         fwarning("cannot create a new user namespace, going forward without it...\n");
-                        drop_privs(arg_nogroups);
                         arg_noroot = 0;
                 }
         }
-        else
-                drop_privs(arg_nogroups);
 
         // notify parent that new user namespace has been created so a proper
         // UID/GID map can be setup
@@ -1066,8 +1064,9 @@ int sandbox(void* sandbox_arg) {
         }
 
         //****************************************
-        // fork the application and monitor it
+        // drop privileges, fork the application and monitor it
         //****************************************
+        drop_privs(arg_nogroups);
         pid_t app_pid = fork();
         if (app_pid == -1)
                 errExit("fork");
@@ -1085,6 +1084,7 @@ int sandbox(void* sandbox_arg) {
                                 printf("AppArmor enabled\n");
                 }
 #endif
+
                 prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died
                 start_application(0);   // start app
         }
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 0184db65c..1ee6256d4 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -210,6 +210,11 @@ int seccomp_filter_drop(void) {
                                               PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, RUN_SECCOMP_POSTEXEC, cfg.seccomp_list);
                         if (rv)
                                 exit(rv);
+
+                        // optimize the new filter
+                        rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSEC_OPTIMIZE, RUN_SECCOMP_CFG);
+                        if (rv)
+                                exit(rv);
                 }
         }
 
@@ -232,6 +237,11 @@ int seccomp_filter_drop(void) {
 
                 if (rv)
                         exit(rv);
+
+                // optimize the drop filter
+                rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSEC_OPTIMIZE, RUN_SECCOMP_CFG);
+                if (rv)
+                        exit(rv);
         }
 
         // load the filter
diff --git a/src/firejail/util.c b/src/firejail/util.c
index c644f83a8..14e9f6440 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -32,6 +32,61 @@
 #include <sys/wait.h>
 
 #define MAX_GROUPS 1024
+
+static void clean_supplementary_groups(gid_t gid) {
+        assert(cfg.username);
+        gid_t groups[MAX_GROUPS];
+        int ngroups = MAX_GROUPS;
+
+        int rv = getgrouplist(cfg.username, gid, groups, &ngroups);
+        if (rv == -1)
+                goto clean_all;
+
+        // clean supplementary group list
+        // allow only tty, audio, video, games
+        gid_t new_groups[MAX_GROUPS];
+        int new_ngroups = 0;
+        char *allowed[] = {
+                "tty",
+                "audio",
+                "video",
+                "games",
+                NULL
+        };
+
+        int i = 0;
+        while (allowed[i]) {
+                gid_t g = get_group_id(allowed[i]);
+                if (g) {
+                        int j;
+                        for (j = 0; j < ngroups; j++) {
+                                if (g == groups[j]) {
+                                        new_groups[new_ngroups] = g;
+                                        new_ngroups++;
+                                        break;
+                                }
+                        }
+                }
+                i++;
+        }
+
+        if (new_ngroups) {
+                rv = setgroups(new_ngroups, new_groups);
+                if (rv)
+                        goto clean_all;
+        }
+        else
+                goto clean_all;
+
+        return;
+
+clean_all:
+        fwarning("cleaning all supplementary groups\n");
+        if (setgroups(0, NULL) < 0)
+                errExit("setgroups");
+}
+
+
 // drop privileges
 // - for root group or if nogroups is set, supplementary groups are not configured
 void drop_privs(int nogroups) {
@@ -45,34 +100,8 @@ void drop_privs(int nogroups) {
                 if (arg_debug)
                         printf("Username %s, no supplementary groups\n", cfg.username);
         }
-        else {
-                assert(cfg.username);
-                gid_t groups[MAX_GROUPS];
-                int ngroups = MAX_GROUPS;
-                int rv = getgrouplist(cfg.username, gid, groups, &ngroups);
-
-                if (arg_debug && rv) {
-                        printf("Username %s, groups ", cfg.username);
-                        int i;
-                        for (i = 0; i < ngroups; i++)
-                                printf("%u, ", groups[i]);
-                        printf("\n");
-                }
-
-                if (rv == -1) {
-                        fwarning("cannot extract supplementary group list, dropping them\n");
-                        if (setgroups(0, NULL) < 0)
-                                errExit("setgroups");
-                }
-                else {
-                        rv = setgroups(ngroups, groups);
-                        if (rv) {
-                                fwarning("cannot set supplementary group list, dropping them\n");
-                                if (setgroups(0, NULL) < 0)
-                                        errExit("setgroups");
-                        }
-                }
-        }
+        else if (arg_noroot)
+                clean_supplementary_groups(gid);
 
         // set uid/gid
         if (setgid(getgid()) < 0)
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt
index e7a7ef6d9..80cb201d9 100644
--- a/src/man/firecfg.txt
+++ b/src/man/firecfg.txt
@@ -30,9 +30,31 @@ installing new programs. If the program is supported by Firejail, the symbolic l
 will be created. For a full list of programs supported by default run "cat /usr/lib/firejail/firecfg.config".
 
 For user-driven manual integration, see \fBDESKTOP INTEGRATION\fR section in \fBman 1 firejail\fR.
+.SH DEFAULT ACTIONS
+The following actions are implemented by default by running sudo firecfg:
+
+.RS
+- set or update the symbolic links for desktop integration;
+.br
+
+.br
+- add the current user to Firejail user access database (firecfg --add-users);
+.br
+
+.br
+-fix desktop files in $HOME/.local/share/applications/ (firecfg --fix).
+.RE
 
 .SH OPTIONS
 .TP
+\fB\-\-add-users user [user]
+Add the list of users to Firejail user access database.
+
+Example:
+.br
+$ sudo firecfg --add-users dustin lucas mike eleven
+
+.TP
 \fB\-\-clean
 Remove all firejail symbolic links.
 
@@ -102,3 +124,4 @@ Homepage: https://firejail.wordpress.com
 \&\flfiremon\fR\|(1),
 \&\flfirejail-profile\fR\|(5),
 \&\flfirejail-login\fR\|(5)
+\&\flfirejail-users\fR\|(5)
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt
index 29030ba45..c2fa63dc4 100644
--- a/src/man/firejail-login.txt
+++ b/src/man/firejail-login.txt
@@ -1,4 +1,4 @@
-.TH FIREJAIL-LOGIN 5 "MONTH YEAR" "VERSION" "firejail login.users man page"
+.TH FIREJAIL-LOGIN 5 "MONTH YEAR" "VERSION" "login.users man page"
 .SH NAME
 login.users \- Login file syntax for Firejail
 
@@ -38,3 +38,4 @@ Homepage: https://firejail.wordpress.com
 \&\flfiremon\fR\|(1),
 \&\flfirecfg\fR\|(1),
 \&\flfirejail-profile\fR\|(5)
+\&\flfirejail-users\fR\|(5)
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 4b6e9766f..b529f63e3 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -232,7 +232,7 @@ All modifications are discarded when the sandbox is closed.
 .TP
 \fBprivate-lib file,directory
 Build a new /lib directory and bring in the libraries required by the application to run.
-This feature is still under development, see man 1 firejail for some examples.
+This feature is still under development, see \fBman 1 firejail\fR for some examples.
 .TP
 \fBprivate-opt file,directory
 Build a new /optin a temporary
@@ -610,3 +610,4 @@ Homepage: https://firejail.wordpress.com
 \&\flfiremon\fR\|(1),
 \&\flfirecfg\fR\|(1),
 \&\flfirejail-login\fR\|(5)
+\&\flfirejail-users\fR\|(5)
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt
new file mode 100644
index 000000000..fcc0f914b
--- /dev/null
+++ b/src/man/firejail-users.txt
@@ -0,0 +1,45 @@
+.TH FIREJAIL-USERS 5 "MONTH YEAR" "VERSION" "firejail.users man page"
+.SH NAME
+firejail.users \- Firejail user access database
+
+.SH DESCRIPTION
+/etc/firejail/firejail.users lists the users allowed to run firejail SUID executable.
+If the file is not present in the system, all users are allowed to use the sandbox.
+root user is allowed by default.
+
+Example:
+
+        $ cat /etc/firejail/firejail.users
+.br
+        dustin
+.br
+        lucas
+.br
+        mike
+.br
+        eleven
+
+Use a text editor to add or remove users from the list. You can also use firecfg \-\-add-users
+command. Example:
+
+        $ sudo firecfg --add-users dustin lucas mike eleven
+
+By default, running firecfg creates the file and adds the current user to the list. Example:
+
+        $ sudo firecfg
+
+See \fBman 1 firecfg\fR for details.
+
+.SH FILES
+/etc/firejail/firejail.users
+
+.SH LICENSE
+Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
+.PP
+Homepage: https://firejail.wordpress.com
+.SH SEE ALSO
+\&\flfirejail\fR\|(1),
+\&\flfiremon\fR\|(1),
+\&\flfirecfg\fR\|(1),
+\&\flfirejail-profile\fR\|(5)
+\&\flfirejail-login\fR\|(5)
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index e55d01253..6e8e4eb2c 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -2691,7 +2691,7 @@ Child process initialized
 [...]
 .RE
 
-See man 5 firejail-profile for profile file syntax information.
+See \fBman 5 firejail-profile\fR for profile file syntax information.
 
 .SH RESTRICTED SHELL
 To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in
@@ -2739,3 +2739,4 @@ Homepage: https://firejail.wordpress.com
 \&\flfirecfg\fR\|(1),
 \&\flfirejail-profile\fR\|(5),
 \&\flfirejail-login\fR\|(5)
+\&\flfirejail-users\fR\|(5)
diff --git a/src/man/firemon.txt b/src/man/firemon.txt
index 91c59af4d..9cae72b54 100644
--- a/src/man/firemon.txt
+++ b/src/man/firemon.txt
@@ -111,3 +111,4 @@ Homepage: http://firejail.wordpress.com
 \&\flfirecfg\fR\|(1),
 \&\flfirejail-profile\fR\|(5),
 \&\flfirejail-login\fR\|(5)
+\&\flfirejail-users\fR\|(5)
diff --git a/src/tools/testuid.c b/src/tools/testuid.c
new file mode 100644
index 000000000..633b9773e
--- /dev/null
+++ b/src/tools/testuid.c
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2014-2018 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+
+// compile: gcc -o testuid testuid.c
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+
+
+static void print_status(void) {
+        FILE *fp = fopen("/proc/self/status", "r");
+        if (!fp) {
+                fprintf(stderr, "Error, cannot open staus file\n");
+                exit(1);
+        }
+
+        char buf[4096];
+        while (fgets(buf, 4096, fp)) {
+                if (strncmp(buf, "Uid", 3) == 0 || strncmp(buf, "Gid", 3) == 0)
+                        printf("%s", buf);
+        }
+
+        fclose(fp);
+}
+
+int main(void) {
+        print_status();
+        return 0;
+}