52 files changed, 452 insertions, 283 deletions
diff --git a/.gitignore b/.gitignore
index 1285dea92..5e26f1711 100644
--- a/.gitignore
+++ b/.gitignore
@@ -14,6 +14,7 @@ firejail-*.tar.xz
 firejail-login.5
 firejail-profile.5
 firejail-config.5
+firejail-users.5
 firejail.1
 firemon.1
 firecfg.1
diff --git a/Makefile.in b/Makefile.in
index 135b0a37c..ce79a1181 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -25,8 +25,8 @@ HAVE_SUID=@HAVE_SUID@
 uids.h:; ./mkuid.sh
 .PHONY: mylibs $(MYLIBS)
-mylibs: $(MYLIBS) uids.h
+mylibs: $(MYLIBS)
-$(MYLIBS):
+$(MYLIBS): uids.h
        $(MAKE) -C $@
 .PHONY: apps $(APPS)
diff --git a/README b/README
index e6f8d935b..29137f618 100644
--- a/README
+++ b/README
@@ -84,6 +84,7 @@ announ (https://github.com/announ)
        - mpv and youtube-dl profile fixes
 Antonio Russo (https://github.com/aerusso)
        - enumerate root directories in apparmor profile
+        - fix join-or-start
 Austin S. Hemmelgarn (https://github.com/Ferroin)
        - unbound profile update
 avoidr (https://github.com/avoidr)
@@ -251,6 +252,11 @@ glitsj16 (https://github.com/glitsj16)
        - gunzip, bunzip2 profiles
        - enchant, enchat-2, enchant-lsmod, enchant-lsmod-2 profiles
        - atool, soundconvertor, mpd, gnome-calculator, makepkg profile fixes
+        - acat, adiff, als, apack, arepack, aunpack profiles,
+        - fix sqlitebrowser blacklist
+        - spelling fixes
+        - bitblbee profile fixes
+        - fix firefox common addons
 graywolf (https://github.com/graywolf)
        - spelling fix
 greigdp (https://github.com/greigdp)
@@ -295,6 +301,9 @@ James Elford (https://github.com/jelford)
        - removed shell none from ssh-agent configuration, fixing the infinit loop
        - added gcloud profile
        - blacklist sensitive cloud provider files in disable-common
+Jean Lucas (https://github.com/flacks)
+        - fix Discord profile
+        - add AnyDesk profile
 Jericho (https://github.com/attritionorg)
        - spelling
 Jesse Smith (https://github.com/slicer69)
diff --git a/README.md b/README.md
index c2c19d824..99da04f54 100644
--- a/README.md
+++ b/README.md
@@ -367,5 +367,7 @@ Basilisk browser, Tor Browser language packs, PlayOnLinux, sylpheed, discord-can
 pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain,
 tilp, vivaldi-snapshot, bitcoin-qt, VS Code, falkon, gnome-builder, lobase, asunder,
 gnome-recipes, akonadi_control, evince-previewer, evince-thumbnailer, blender-2.8,
-thunderbird-beta, ncdu, gnome-logs, gcloud, musixmatch, gunzip, bunzip2,
+thunderbird-beta, ncdu, gnome-logs, gcloud, musixmatch, gunzip, bunzip2, enchant,
-enchant, enchant-2, enchant-lsmod, enchant-lsmod-2
+enchant-2, enchant-lsmod, enchant-lsmod-2, Discord, acat, adiff, als, apack, arepack,
+aunpack profiles, ppsspp, scallion, clion, baloo_filemetadata_temp_extractor,
+AnyDesk
diff --git a/RELNOTES b/RELNOTES
index 87b3f3780..52d139551 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,7 +1,9 @@
 firejail (0.9.53) baseline; urgency=low
  * work in progress
-  * modif: --force depercated
+  * modif: --force removed
-  * modif: --git-install and --git-uninstall deprecated
+  * modif: --csh, --zsh removed
+  * modif: --debug-check-filename removed
+  * modif: --git-install and --git-uninstall removed
  * modif: support for private-bin, private-lib and shell none has been
     disabled while running AppImage archives in order to be able to use
     our regular profile files with AppImages.
@@ -35,11 +37,13 @@ firejail (0.9.53) baseline; urgency=low
  * new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed,
  * new profiles: discord-canary, pycharm-community, pycharm-professional,
  * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine,
-  * new profiles: falkon, gnome-builder, asunder, VS Code, gnome-recipes
+  * new profiles: falkon, gnome-builder, asunder, VS Code, gnome-recipes,
  * new profiles: akonadi_controle, evince-previewer, evince-thumbnailer,
-  * new profiles: blender-2.8, thunderbird-beta, ncdu, gnome-logs, gcloud
+  * new profiles: blender-2.8, thunderbird-beta, ncdu, gnome-logs, gcloud,
-  * new profiles: musixmatch, gunzip, bunzip2, enchant-lsmod, enchant-lsmod-2
+  * new profiles: musixmatch, gunzip, bunzip2, enchant-lsmod, enchant-lsmod-2,
-  * new profiles: enchant, enchant-2
+  * new profiles: enchant, enchant-2, Discord, acat, adiff, als, apack,
+  * new profiles: arepack, aunpack profiles, ppsspp, scallion, clion,
+  * new profiles: baloo_filemetadata_temp_extractor, AnyDesk
 -- netblue30 <netblue30@yahoo.com>  Thu, 1 Mar 2018 08:00:00 -0500
 firejail (0.9.52) baseline; urgency=low
diff --git a/etc/anydesk.profile b/etc/anydesk.profile
new file mode 100644
index 000000000..6d6f2bb26
--- /dev/null
+++ b/etc/anydesk.profile
@@ -0,0 +1,31 @@
+# Firejail profile for AnyDesk
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/anydesk.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+mkdir ${HOME}/.anydesk
+whitelist ${HOME}/.anydesk
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-interpreters.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6
+seccomp
+shell none
+disable-mnt
+private-bin anydesk
+private-dev
+private-tmp
diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile
index b71f66ba5..240573f44 100644
--- a/etc/baloo_file.profile
+++ b/etc/baloo_file.profile
@@ -35,7 +35,7 @@ seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fano
 shell none
 # x11 xorg
-private-bin baloo_file,baloo_file_extractor,kbuildsycoca4
+private-bin baloo_file,baloo_file_extractor,baloo_filemetadata_temp_extractor,kbuildsycoca4
 private-dev
 private-tmp
diff --git a/etc/baloo_filemetadata_temp_extractor.profile b/etc/baloo_filemetadata_temp_extractor.profile
new file mode 100644
index 000000000..6d09ecf40
--- /dev/null
+++ b/etc/baloo_filemetadata_temp_extractor.profile
@@ -0,0 +1,11 @@
+# Firejail profile for baloo_filemetadata_temp_extractor
+# This file is overwritten after every install/update
+# Persistent local customizations
+quiet
+include /etc/firejail/baloo_filemetadata_temp_extractor.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+# Redirect
+include /etc/firejail/baloo_file.profile
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile
index b6baa66bc..1cd5d6a69 100644
--- a/etc/bitlbee.profile
+++ b/etc/bitlbee.profile
@@ -28,7 +28,6 @@ seccomp
 disable-mnt
 private
 private-dev
-private-dev
 private-tmp
 read-write /var/lib/bitlbee
diff --git a/etc/clion.profile b/etc/clion.profile
new file mode 100644
index 000000000..115df72c4
--- /dev/null
+++ b/etc/clion.profile
@@ -0,0 +1,34 @@
+# Firejail profile for CLion
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/clion.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.CLion*
+noblacklist ${HOME}/.gitconfig
+noblacklist ${HOME}/.java
+noblacklist ${HOME}/.local/share/JetBrains
+noblacklist ${HOME}/.ssh
+noblacklist ${HOME}/.tooling
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+private-dev
+# private-tmp
+noexec /tmp
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index ff5dc7b6b..71d4ad97b 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -116,6 +116,10 @@ blacklist /run/user/*/kdeinit5__*
 # blacklist /tmp/ksocket-*/kdeinit4__*
 #  - causes issues when kdeinit4 gets killed; enable on KDE Plasma 4
+# gnome
+# contains extensions, last used times of applications, and notifications
+blacklist ${HOME}/.local/share/gnome-shell
 # systemd
 blacklist ${HOME}/.config/systemd
 blacklist ${HOME}/.local/share/systemd
@@ -160,7 +164,7 @@ blacklist /var/lib/mysql/mysql.sock
 blacklist /var/lib/mysqld/mysql.sock
 blacklist /var/lib/pacman
 blacklist /var/lib/upower
-# blacklist /var/log - a virtual /var/log directory (mostly empty) is buid up by default for
+# blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for
 #          every sandbox, unless --writeble-var-log switch is activated
 blacklist /var/mail
 blacklist /var/opt
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 879107e4f..4abf4da78 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -8,6 +8,7 @@ blacklist ${HOME}/.*coin
 blacklist ${HOME}/.8pecxstudios
 blacklist ${HOME}/.AndroidStudio*
 blacklist ${HOME}/.Atom
+blacklist ${HOME}/.CLion*
 blacklist ${HOME}/.FBReader
 blacklist ${HOME}/.FontForge
 blacklist ${HOME}/.IdeaIC*
@@ -189,6 +190,7 @@ blacklist ${HOME}/.config/Pinta
 blacklist ${HOME}/.config/pitivi
 blacklist ${HOME}/.config/pix
 blacklist ${HOME}/.config/pluma
+blacklist ${HOME}/.config/ppsspp
 blacklist ${HOME}/.config/psi+
 blacklist ${HOME}/.config/qBittorrent
 blacklist ${HOME}/.config/qBittorrentrc
@@ -430,6 +432,7 @@ blacklist ${HOME}/.local/share/telepathy
 blacklist ${HOME}/.local/share/terasology
 blacklist ${HOME}/.local/share/torbrowser
 blacklist ${HOME}/.local/share/totem
+blacklist ${HOME}/.local/share/uzbl
 blacklist ${HOME}/.local/share/vlc
 blacklist ${HOME}/.local/share/vpltd
 blacklist ${HOME}/.local/share/vulkan
diff --git a/etc/discord.profile b/etc/discord.profile
index bb59ed42d..40deae2fc 100644
--- a/etc/discord.profile
+++ b/etc/discord.profile
@@ -24,9 +24,9 @@ novideo
 protocol unix,inet,inet6,netlink
 seccomp
-private-bin discord,sh,xdg-mime
+private-bin discord,sh,xdg-mime,tr,sed,echo,head,cut,xdg-open,grep,egrep
 private-dev
-private-etc fonts
+private-etc fonts,machine-id
 private-tmp
 noexec ${HOME}
diff --git a/etc/firefox-common-addons.inc b/etc/firefox-common-addons.inc
index b237c3c05..f5fd4aa5b 100644
--- a/etc/firefox-common-addons.inc
+++ b/etc/firefox-common-addons.inc
@@ -16,7 +16,6 @@ noblacklist ${HOME}/.kde4/share/apps/okular
 noblacklist ${HOME}/.kde4/share/config/kgetrc
 noblacklist ${HOME}/.kde4/share/config/okularpartrc
 noblacklist ${HOME}/.kde4/share/config/okularrc
-# noblacklist ${HOME}/.local/share/gnome-shell/extensions
 noblacklist ${HOME}/.local/share/kget
 noblacklist ${HOME}/.local/share/okular
 noblacklist ${HOME}/.local/share/qpdfview
@@ -41,7 +40,6 @@ whitelist ${HOME}/.kde4/share/config/okularpartrc
 whitelist ${HOME}/.kde4/share/config/okularrc
 whitelist ${HOME}/.keysnail.js
 whitelist ${HOME}/.lastpass
-whitelist ${HOME}/.local/share/gnome-shell/extensions
 whitelist ${HOME}/.local/share/kget
 whitelist ${HOME}/.local/share/okular
 whitelist ${HOME}/.local/share/qpdfview
@@ -53,3 +51,14 @@ whitelist ${HOME}/.wine-pipelight
 whitelist ${HOME}/.wine-pipelight64
 whitelist ${HOME}/.zotero
 whitelist ${HOME}/dwhelper
+# GNOME Shell integration (chrome-gnome-shell) needs dbus and python 3 (blacklisted by disable-interpreters.inc)
+noblacklist ${HOME}/.local/share/gnome-shell
+whitelist ${HOME}/.local/share/gnome-shell
+ignore nodbus
+noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python3*
+# Flash plugin
+# private-etc must first be enabled in firefox-common.profile and in profiles including it.
+#private-etc adobe
diff --git a/etc/firejail-default b/etc/firejail-default
index 2e48439f5..5cfb1b5ea 100644
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -21,10 +21,10 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) {
 #dbus,
 ##########
-# Allows to attach to a running program and modify the process memory.
+# With ptrace it is possible to inspect and hijack running programs. Usually this
-# May be needed by chromium crash handler. Uncomment if you need it.
+# is needed only for debugging. To allow ptrace, uncomment the following line
 ##########
-#ptrace (trace tracedby),
+#ptrace,
 ##########
 # Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes
@@ -133,8 +133,8 @@ network raw,
 signal,
 ##########
-# We let Firejail deal with capabilities,
+# We let Firejail deal with capabilities, but ensure that
-# but mac_admin should be dropped in any case.
+# some AppArmor related capabilities will not be available.
 ##########
 capability chown,
 capability dac_override,
diff --git a/etc/flowblade.profile b/etc/flowblade.profile
index bad8538cf..e06107f0f 100644
--- a/etc/flowblade.profile
+++ b/etc/flowblade.profile
@@ -8,6 +8,12 @@ include /etc/firejail/globals.local
 noblacklist ${HOME}/.config/flowblade
 noblacklist ${HOME}/.flowblade
+# Allow python (blacklisted by disable-interpreters.inc)
+noblacklist ${PATH}/python2*
+noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python2*
+noblacklist /usr/lib/python3*
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-interpreters.inc
diff --git a/etc/less.profile b/etc/less.profile
index e2616ba4f..9b04329f2 100644
--- a/etc/less.profile
+++ b/etc/less.profile
@@ -20,7 +20,7 @@ shell none
 tracelog
 writable-var-log
-# The user can have a custom coloring scritps configured in ${HOME}/.lessfilter.
+# The user can have a custom coloring script configured in ${HOME}/.lessfilter.
 # Enable private-bin and private-lib if you are not using any filter.
 # private-bin less
 # private-lib
diff --git a/etc/musixmatch.profile b/etc/musixmatch.profile
index 1a3ee5e6f..fce60e89e 100644
--- a/etc/musixmatch.profile
+++ b/etc/musixmatch.profile
@@ -24,7 +24,6 @@ notv
 novideo
 protocol unix,inet,inet6,netlink
 seccomp
-shell none
 disable-mnt
 private-dev
diff --git a/etc/openshot.profile b/etc/openshot.profile
index 114580f1e..832008564 100644
--- a/etc/openshot.profile
+++ b/etc/openshot.profile
@@ -8,6 +8,12 @@ include /etc/firejail/globals.local
 noblacklist ${HOME}/.openshot
 noblacklist ${HOME}/.openshot_qt
+# Allow python (blacklisted by disable-interpreters.inc)
+noblacklist ${PATH}/python2*
+noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python2*
+noblacklist /usr/lib/python3*
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-interpreters.inc
diff --git a/etc/ppsspp.profile b/etc/ppsspp.profile
new file mode 100644
index 000000000..e19a7b42a
--- /dev/null
+++ b/etc/ppsspp.profile
@@ -0,0 +1,42 @@
+# Firejail profile for ppsspp
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/ppsspp.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.config/ppsspp
+# with >=llvm-4 mesa drivers need llvm stuff
+noblacklist /usr/lib/llvm*
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-interpreters.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
+caps.drop all
+ipc-namespace
+netfilter
+net none
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+novideo
+protocol unix,netlink
+seccomp
+shell none
+# private-dev is disabled to allow controller support
+#private-dev
+private-etc asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies
+private-opt ppsspp
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/ranger.profile b/etc/ranger.profile
index 94b282669..ff65a057b 100644
--- a/etc/ranger.profile
+++ b/etc/ranger.profile
@@ -5,11 +5,19 @@ include /etc/firejail/ranger.local
 # Persistent global definitions
 include /etc/firejail/globals.local
+noblacklist ${HOME}/.config/ranger
+# Allow python (blacklisted by disable-interpreters.inc)
+noblacklist ${PATH}/python2*
+noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python2*
+noblacklist /usr/lib/python3*
+# Allow perl
 # noblacklist ${PATH}/cpan*
 noblacklist ${PATH}/perl
 noblacklist /usr/lib/perl*
 noblacklist /usr/share/perl*
-noblacklist ${HOME}/.config/ranger
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/scallion.profile b/etc/scallion.profile
new file mode 100644
index 000000000..645f0423c
--- /dev/null
+++ b/etc/scallion.profile
@@ -0,0 +1,42 @@
+# Firejail profile for scallion
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include /etc/firejail/scallion.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${PATH}/llvm*
+noblacklist /usr/lib/llvm*
+noblacklist ${PATH}/openssl
+noblacklist ${PATH}/openssl-1.0
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-interpreters.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
+caps.drop all
+ipc-namespace
+net none
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix
+seccomp
+shell none
+disable-mnt
+private
+private-dev
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile
index 015709247..c2270ce39 100644
--- a/etc/skypeforlinux.profile
+++ b/etc/skypeforlinux.profile
@@ -25,7 +25,7 @@ seccomp
 shell none
 disable-mnt
-#private-dev
+# private-dev - needs /dev/disk
 private-tmp
 noexec ${HOME}
diff --git a/etc/uzbl-browser.profile b/etc/uzbl-browser.profile
index 0a3549c97..b8a3fa497 100644
--- a/etc/uzbl-browser.profile
+++ b/etc/uzbl-browser.profile
@@ -7,6 +7,13 @@ include /etc/firejail/globals.local
 noblacklist ${HOME}/.config/uzbl
 noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.local/share/uzbl
+# Allow python (blacklisted by disable-interpreters.inc)
+noblacklist ${PATH}/python2*
+noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python2*
+noblacklist /usr/lib/python3*
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/zathura.profile b/etc/zathura.profile
index b47aeb0da..028e15ef5 100644
--- a/etc/zathura.profile
+++ b/etc/zathura.profile
@@ -15,6 +15,7 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 caps.drop all
+machine-id
 # net none
 # nodbus
 nodvd
@@ -29,7 +30,7 @@ shell none
 private-bin zathura
 private-dev
-private-etc fonts
+private-etc fonts,machine-id
 private-tmp
 read-only ${HOME}/
diff --git a/mkuid.sh b/mkuid.sh
index a59f58143..9a37dc2ca 100755
--- a/mkuid.sh
+++ b/mkuid.sh
@@ -6,15 +6,15 @@ echo "#define FIREJAIL_UIDS_H" >> uids.h
 if [ -r /etc/login.defs ]
 then
-        echo "// using values extracted from /etc/login.defs" >> uids.h
        UID_MIN=`awk '/^\s*UID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs`
        GID_MIN=`awk '/^\s*GID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs`
-        echo "#define UID_MIN $UID_MIN" >> uids.h
-        echo "#define GID_MIN $GID_MIN" >> uids.h
-else
-        echo "// using default values" >> uids.h
-        echo "#define UID_MIN 1000" >> uids.h
-        echo "#define GID_MIN 1000" >> uids.h
 fi
+# use default values if not found
+[ -z "$UID_MIN" ] && UID_MIN="1000"
+[ -z "$GID_MIN" ] && GID_MIN="1000"
+echo "#define UID_MIN $UID_MIN" >> uids.h
+echo "#define GID_MIN $GID_MIN" >> uids.h
 echo "#endif" >> uids.h
diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c
index 49e58528c..eb3794d3f 100644
--- a/src/firecfg/desktop_files.c
+++ b/src/firecfg/desktop_files.c
@@ -163,8 +163,6 @@ void fix_desktop_files(char *homedir) {
                // skip links
                if (is_link(filename))
                        continue;
-                if (stat(filename, &sb) == -1)
-                        errExit("stat");
                // no profile in /etc/firejail, no desktop file fixing
                if (!have_profile(filename, homedir))
@@ -173,23 +171,33 @@ void fix_desktop_files(char *homedir) {
                //****************************************************
                // load the file in memory and do some basic checking
                //****************************************************
-                /* coverity[toctou] */
+                FILE *fp = fopen(filename, "r");
-                int fd = open(filename, O_RDONLY);
+                if (!fp) {
-                if (fd == -1) {
                        fprintf(stderr, "Warning: cannot open /usr/share/applications/%s\n", filename);
                        continue;
                }
-                char *buf = mmap(NULL, sb.st_size + 1, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
+                fseek(fp, 0, SEEK_END);
-                if (buf == MAP_FAILED)
+                size_t size = ftell(fp);
-                        errExit("mmap");
+                fseek(fp, 0, SEEK_SET);
-                close(fd);
+                char *buf = malloc(size + 1);
+                if (!buf)
+                        errExit("malloc");
+                size_t loaded = fread(buf, size, 1, fp);
+                fclose(fp);
+                if (loaded != 1) {
+                        fprintf(stderr, "Warning: cannot read /usr/share/applications/%s\n", filename);
+                        free(buf);
+                        continue;
+                }
+                buf[size] = '\0';
                // check format
                if (strstr(buf, "[Desktop Entry]\n") == NULL) {
                        if (arg_debug)
                                printf("   %s - skipped: wrong format?\n", filename);
-                        munmap(buf, sb.st_size + 1);
+                        free(buf);
                        continue;
                }
@@ -198,7 +206,7 @@ void fix_desktop_files(char *homedir) {
                if (!ptr || strlen(ptr) < 7) {
                        if (arg_debug)
                                printf("   %s - skipped: wrong format?\n", filename);
-                        munmap(buf, sb.st_size + 1);
+                        free(buf);
                        continue;
                }
@@ -207,7 +215,7 @@ void fix_desktop_files(char *homedir) {
                if (execname[0] == '"') {
                        if (arg_debug)
                                printf("   %s - skipped: path quoting unsupported\n", filename);
-                        munmap(buf, sb.st_size + 1);
+                        free(buf);
                        continue;
                }
@@ -241,12 +249,9 @@ void fix_desktop_files(char *homedir) {
                        }
                }
-                if (change_exec == NULL && change_dbus == 0) {
+                free(buf);
-                        munmap(buf, sb.st_size + 1);
+                if (change_exec == NULL && change_dbus == 0)
                        continue;
-                }
-                munmap(buf, sb.st_size + 1);
                //****************************************************
                // generate output file
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index e34ac786c..19d787679 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -21,6 +21,7 @@ akregator
 amarok
 amule
 android-studio
+anydesk
 apktool
 arch-audit
 archaudit-report
@@ -40,6 +41,7 @@ audacious
 audacity
 aweather
 baloo_file
+baloo_filemetadata_temp_extractor
 baobab
 basilisk
 bibletime
@@ -306,6 +308,7 @@ pix
 playonlinux
 pluma
 polari
+ppsspp
 psi-plus
 # pycharm-community - FB note: may enable later
 # pycharm-professional
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
index 48d985d73..d0f43041c 100644
--- a/src/firejail/Makefile.in
+++ b/src/firejail/Makefile.in
@@ -2,7 +2,7 @@ all: firejail
 include ../common.mk
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h ../include/firejail_user.h
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/ldd_utils.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h ../include/firejail_user.h
        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 7b0ae30b6..f8094e893 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -166,10 +166,6 @@ int checkcfg(int val) {
                                else
                                        goto errout;
                        }
-                        // follow symlink in private-bin command
-                        else if (strncmp(ptr, "follow-symlink-private-bin ", 27) == 0) {
-                                fwarning("follow-symlink-private-bin from firejail.config was deprecated\n");
-                        }
                        // nonewprivs
                        else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) {
                                if (strcmp(ptr + 17, "yes") == 0)
@@ -311,9 +307,6 @@ int checkcfg(int val) {
                                else
                                        goto errout;
                        }
-                        else if (strncmp(ptr, "remount-proc-sys ", 17) == 0) {
-                                fwarning("remount-proc-sys from firejail.config was deprecated\n");
-                        }
                        else if (strncmp(ptr, "overlayfs ", 10) == 0) {
                                if (strcmp(ptr + 10, "yes") == 0)
                                        cfg_val[CFG_OVERLAYFS] = 1;
diff --git a/src/firejail/env.c b/src/firejail/env.c
index 73d68724e..a09be8a77 100644
--- a/src/firejail/env.c
+++ b/src/firejail/env.c
@@ -52,6 +52,8 @@ static void env_add(Env *env) {
 // load IBUS env variables
 void env_ibus_load(void) {
+        EUID_ASSERT();
        // check ~/.config/ibus/bus directory
        char *dirname;
        if (asprintf(&dirname, "%s/.config/ibus/bus", cfg.homedir) == -1)
@@ -101,9 +103,7 @@ void env_ibus_load(void) {
                                *ptr = '\0';
                        if (arg_debug)
                                printf("%s\n", buf);
-                        EUID_USER();
                        env_store(buf, SETENV);
-                        EUID_ROOT();
                }
                fclose(fp);
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 4fd11ab4f..0df832c09 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -309,7 +309,6 @@ static inline int any_interface_configured(void) {
 extern int arg_private;         // mount private /home
 extern int arg_private_template; // private /home template
 extern int arg_debug;           // print debug messages
-extern int arg_debug_check_filename;            // print debug messages for filename checking
 extern int arg_debug_blacklists;        // print debug messages for blacklists
 extern int arg_debug_whitelists;        // print debug messages for whitelists
 extern int arg_debug_private_lib;       // print debug messages for private-lib
@@ -577,9 +576,6 @@ void caps_keep_list(const char *clist);
 void caps_print_filter(pid_t pid);
 void caps_drop_dac_override(void);
-// syscall.c
-const char *syscall_find_nr(int nr);
 // fs_trace.c
 void fs_trace_preload(void);
 void fs_trace(void);
@@ -647,12 +643,6 @@ void env_ibus_load(void);
 // fs_whitelist.c
 void fs_whitelist(void);
-// errno.c
-int errno_highest_nr(void);
-int errno_find_name(const char *name);
-char *errno_find_nr(int nr);
-void errno_print(void);
 // pulseaudio.c
 void pulseaudio_init(void);
 void pulseaudio_disable(void);
@@ -681,7 +671,7 @@ void fs_logger_change_owner(void);
 void fs_logger_print_log(pid_t pid);
 // run_symlink.c
-void run_symlink(int argc, char **argv);
+void run_symlink(int argc, char **argv, int run_as_is);
 // paths.c
 char **build_paths(void);
@@ -795,10 +785,6 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
 // run sbox
 int sbox_run(unsigned filter, int num, ...);
-// git.c
-void git_install();
-void git_uninstall();
 // run_files.c
 void delete_run_files(pid_t pid);
 void delete_bandwidth_run_file(pid_t pid);
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 29cca0761..c9158ebd5 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -29,6 +29,11 @@
 #include <fcntl.h>
 #include <errno.h>
+// check noblacklist statements not matched by a proper blacklist in disable-*.inc files
+//#define TEST_NO_BLACKLIST_MATCHING
 static void fs_rdwr(const char *dir);
@@ -183,15 +188,17 @@ static void disable_file(OPERATION op, const char *filename) {
        free(fname);
 }
-// check noblacklist statements not matched by a proper blacklist in disable-*.inc files
+#ifdef TEST_NO_BLACKLIST_MATCHING
 static int nbcheck_start = 0;
 static size_t nbcheck_size = 0;
 static int *nbcheck = NULL;
+#endif
 // Treat pattern as a shell glob pattern and blacklist matching files
 static void globbing(OPERATION op, const char *pattern, const char *noblacklist[], size_t noblacklist_len) {
        assert(pattern);
+#ifdef TEST_NO_BLACKLIST_MATCHING
        if (nbcheck_start == 0) {
                nbcheck_start = 1;
                nbcheck_size = noblacklist_len;
@@ -200,6 +207,7 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[
                        errExit("malloc");
                memset(nbcheck, 0, sizeof(int) * noblacklist_len);
        }
+#endif
        glob_t globbuf;
        // Profiles contain blacklists for files that might not exist on a user's machine.
@@ -226,8 +234,10 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[
                                continue;
                        else if (result == 0) {
                                okay_to_blacklist = false;
+#ifdef TEST_NO_BLACKLIST_MATCHING
                                if (j < nbcheck_size)   // noblacklist checking
                                        nbcheck[j] = 1;
+#endif
                                break;
                        }
                        else {
@@ -419,6 +429,7 @@ void fs_blacklist(void) {
        }
        size_t i;
+#ifdef TEST_NO_BLACKLIST_MATCHING
        // noblacklist checking
        for (i = 0; i < nbcheck_size; i++)
                if (!arg_quiet && !nbcheck[i])
@@ -431,6 +442,7 @@ void fs_blacklist(void) {
                nbcheck = NULL;
                nbcheck_size = 0;
        }
+#endif
        for (i = 0; i < noblacklist_c; i++)
                free(noblacklist[i]);
        free(noblacklist);
diff --git a/src/firejail/join.c b/src/firejail/join.c
index c303d3fb8..d4a2389c6 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -292,6 +292,8 @@ void join(pid_t pid, int argc, char **argv, int index) {
                }
                prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died
+                EUID_USER();
                if (chdir("/") < 0)
                        errExit("chdir");
                if (homedir) {
@@ -308,6 +310,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
                        set_cpu_affinity();
                // set caps filter
+                EUID_ROOT();
                if (apply_caps == 1)    // not available for uid 0
                        caps_set(caps);
 #ifdef HAVE_SECCOMP
@@ -347,6 +350,8 @@ void join(pid_t pid, int argc, char **argv, int index) {
                }
                // set environment, add x11 display
+                EUID_USER();
                env_defaults();
                if (display) {
                        char *display_str;
diff --git a/src/firejail/main.c b/src/firejail/main.c
index e676bbd7c..9a013989a 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -47,7 +47,6 @@ Config cfg;					// configuration
 int arg_private = 0;                            // mount private /home and /tmp directoryu
 int arg_private_template = 0; // mount private /home using a template
 int arg_debug = 0;                              // print debug messages
-int arg_debug_check_filename = 0;               // print debug messages for filename checking
 int arg_debug_blacklists = 0;                   // print debug messages for blacklists
 int arg_debug_whitelists = 0;                   // print debug messages for whitelists
 int arg_debug_private_lib = 0;                  // print debug messages for private-lib
@@ -162,37 +161,47 @@ static void my_handler(int s){
        myexit(1);
 }
-static pid_t extract_pid(const char *name) {
+// return 1 if error, 0 if a valid pid was found
+static int extract_pid(const char *name, pid_t *pid) {
+        int retval = 0;
        EUID_ASSERT();
        if (!name || strlen(name) == 0) {
                fprintf(stderr, "Error: invalid sandbox name\n");
                exit(1);
        }
-        pid_t pid;
        EUID_ROOT();
-        if (name2pid(name, &pid)) {
+        if (name2pid(name, pid)) {
-                fprintf(stderr, "Error: cannot find sandbox %s\n", name);
+                retval = 1;
-                exit(1);
        }
        EUID_USER();
-        return pid;
+        return retval;
 }
+// return 1 if error, 0 if a valid pid was found
-static pid_t read_pid(const char *str) {
+static int read_pid(const char *name, pid_t *pid) {
        char *endptr;
        errno = 0;
-        long int pidtmp = strtol(str, &endptr, 10);
+        long int pidtmp = strtol(name, &endptr, 10);
        if ((errno == ERANGE && (pidtmp == LONG_MAX || pidtmp == LONG_MIN))
                || (errno != 0 && pidtmp == 0)) {
-                return extract_pid(str);
+                return extract_pid(name,pid);
        }
-        // endptr points to '\0' char in str if the entire string is valid
+        // endptr points to '\0' char in name if the entire string is valid
        if (endptr == NULL || endptr[0]!='\0') {
-                return extract_pid(str);
+                return extract_pid(name,pid);
        }
-        return (pid_t)pidtmp;
+        *pid =(pid_t)pidtmp;
+        return 0;
+}
+static pid_t require_pid(const char *name) {
+        pid_t pid;
+        if (read_pid(name,&pid)) {
+                fprintf(stderr, "Error: cannot find sandbox %s\n", name);
+                exit(1);
+        }
+        return pid;
 }
 // init configuration
@@ -230,12 +239,15 @@ static void init_cfg(int argc, char **argv) {
        }
        cfg.cwd = getcwd(NULL, 0);
-        // chack user database
+        // check user database
        if (!firejail_user_check(cfg.username)) {
                fprintf(stderr, "Error: the user is not allowed to use Firejail. "
                        "Please add the user in %s/firejail.users file, "
-                        "either by running \"sudo firecfg\", or by editing the file directly."
+                        "either by running \"sudo firecfg\", or by editing the file directly.\n"
                        "See \"man firejail-users\" for more details.\n", SYSCONFDIR);
+                // attempt to run the program as is
+                run_symlink(argc, argv, 1);
                exit(1);
        }
@@ -412,7 +424,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                        }
                        // extract pid or sandbox name
-                        pid_t pid = read_pid(argv[i] + 12);
+                        pid_t pid = require_pid(argv[i] + 12);
                        bandwidth_pid(pid, cmd, dev, down, up);
                }
                else
@@ -421,13 +433,13 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
        }
        else if (strncmp(argv[i], "--netfilter.print=", 18) == 0) {
                // extract pid or sandbox name
-                pid_t pid = read_pid(argv[i] + 18);
+                pid_t pid = require_pid(argv[i] + 18);
                netfilter_print(pid, 0);
                exit(0);
        }
        else if (strncmp(argv[i], "--netfilter6.print=", 19) == 0) {
                // extract pid or sandbox name
-                pid_t pid = read_pid(argv[i] + 19);
+                pid_t pid = require_pid(argv[i] + 19);
                netfilter_print(pid, 1);
                exit(0);
        }
@@ -456,7 +468,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
        else if (strncmp(argv[i], "--seccomp.print=", 16) == 0) {
                if (checkcfg(CFG_SECCOMP)) {
                        // print seccomp filter for a sandbox specified by pid or by name
-                        pid_t pid = read_pid(argv[i] + 16);
+                        pid_t pid = require_pid(argv[i] + 16);
                        seccomp_print_filter(pid);
                }
                else
@@ -470,7 +482,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
        else if (strncmp(argv[i], "--protocol.print=", 17) == 0) {
                if (checkcfg(CFG_SECCOMP)) {
                        // print seccomp filter for a sandbox specified by pid or by name
-                        pid_t pid = read_pid(argv[i] + 17);
+                        pid_t pid = require_pid(argv[i] + 17);
                        protocol_print_filter(pid);
                }
                else
@@ -479,7 +491,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
        }
 #endif
        else if (strncmp(argv[i], "--profile.print=", 16) == 0) {
-                pid_t pid = read_pid(argv[i] + 16);
+                pid_t pid = require_pid(argv[i] + 16);
                // print /run/firejail/profile/<PID> file
                char *fname;
@@ -500,13 +512,13 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
        }
        else if (strncmp(argv[i], "--cpu.print=", 12) == 0) {
                // join sandbox by pid or by name
-                pid_t pid = read_pid(argv[i] + 12);
+                pid_t pid = require_pid(argv[i] + 12);
                cpu_print_filter(pid);
                exit(0);
        }
        else if (strncmp(argv[i], "--apparmor.print=", 12) == 0) {
                // join sandbox by pid or by name
-                pid_t pid = read_pid(argv[i] + 17);
+                pid_t pid = require_pid(argv[i] + 17);
                char *pidstr;
                if (asprintf(&pidstr, "%u", pid) == -1)
                        errExit("asprintf");
@@ -516,19 +528,19 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
        }
        else if (strncmp(argv[i], "--caps.print=", 13) == 0) {
                // join sandbox by pid or by name
-                pid_t pid = read_pid(argv[i] + 13);
+                pid_t pid = require_pid(argv[i] + 13);
                caps_print_filter(pid);
                exit(0);
        }
        else if (strncmp(argv[i], "--fs.print=", 11) == 0) {
                // join sandbox by pid or by name
-                pid_t pid = read_pid(argv[i] + 11);
+                pid_t pid = require_pid(argv[i] + 11);
                fs_logger_print_log(pid);
                exit(0);
        }
        else if (strncmp(argv[i], "--dns.print=", 12) == 0) {
                // join sandbox by pid or by name
-                pid_t pid = read_pid(argv[i] + 12);
+                pid_t pid = require_pid(argv[i] + 12);
                net_dns_print(pid);
                exit(0);
        }
@@ -593,7 +605,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                         }
                        // get file
-                        pid_t pid = read_pid(argv[i] + 6);
+                        pid_t pid = require_pid(argv[i] + 6);
                        sandboxfs(SANDBOX_FS_GET, pid, path, NULL);
                        exit(0);
                }
@@ -623,7 +635,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                         }
                        // get file
-                        pid_t pid = read_pid(argv[i] + 6);
+                        pid_t pid = require_pid(argv[i] + 6);
                        sandboxfs(SANDBOX_FS_PUT, pid, path1, path2);
                        exit(0);
                }
@@ -647,7 +659,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                         }
                        // list directory contents
-                        pid_t pid = read_pid(argv[i] + 5);
+                        pid_t pid = require_pid(argv[i] + 5);
                        sandboxfs(SANDBOX_FS_LS, pid, path, NULL);
                        exit(0);
                }
@@ -671,7 +683,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                                cfg.shell = guess_shell();
                        // join sandbox by pid or by name
-                        pid_t pid = read_pid(argv[i] + 7);
+                        pid_t pid = require_pid(argv[i] + 7);
                        join(pid, argc, argv, i + 1);
                        exit(0);
                }
@@ -692,17 +704,15 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                        cfg.original_program_index = i + 1;
                }
-#if 0 // todo: redo it
                // try to join by name only
                pid_t pid;
-                if (!name2pid(argv[i] + 16, &pid)) {
+                if (!read_pid(argv[i] + 16, &pid)) {
                        if (!cfg.shell && !arg_shell_none)
                                cfg.shell = guess_shell();
                        join(pid, argc, argv, i + 1);
                        exit(0);
                }
-#endif
                // if there no such sandbox continue argument processing
        }
 #ifdef HAVE_NETWORK
@@ -719,7 +729,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                                cfg.shell = guess_shell();
                        // join sandbox by pid or by name
-                        pid_t pid = read_pid(argv[i] + 15);
+                        pid_t pid = require_pid(argv[i] + 15);
                        join(pid, argc, argv, i + 1);
                }
                else
@@ -739,7 +749,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                        cfg.shell = guess_shell();
                // join sandbox by pid or by name
-                pid_t pid = read_pid(argv[i] + 18);
+                pid_t pid = require_pid(argv[i] + 18);
                join(pid, argc, argv, i + 1);
                exit(0);
        }
@@ -747,7 +757,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                logargs(argc, argv);
                // shutdown sandbox by pid or by name
-                pid_t pid = read_pid(argv[i] + 11);
+                pid_t pid = require_pid(argv[i] + 11);
                shut(pid);
                exit(0);
        }
@@ -907,7 +917,7 @@ int main(int argc, char **argv) {
        // check argv[0] symlink wrapper if this is not a login shell
        if (*argv[0] != '-')
-                run_symlink(argc, argv); // if symlink detected, this function will not return
+                run_symlink(argc, argv, 0); // if symlink detected, this function will not return
        // check if we already have a sandbox running
        // If LXC is detected, start firejail sandbox
@@ -1051,8 +1061,6 @@ int main(int argc, char **argv) {
                if (strcmp(argv[i], "--debug") == 0 && !arg_quiet)
                        arg_debug = 1;
-                else if (strcmp(argv[i], "--debug-check-filename") == 0)
-                        arg_debug_check_filename = 1;
                else if (strcmp(argv[i], "--debug-blacklists") == 0)
                        arg_debug_blacklists = 1;
                else if (strcmp(argv[i], "--debug-whitelists") == 0)
@@ -1439,9 +1447,6 @@ int main(int argc, char **argv) {
                        custom_profile = 1;
                        free(ppath);
                }
-                else if (strncmp(argv[i], "--profile-path=", 15) == 0) {
-                        fwarning("--profile-path has been deprecated\n");
-                }
                else if (strcmp(argv[i], "--noprofile") == 0) {
                        if (custom_profile) {
                                fprintf(stderr, "Error: --profile and --noprofile options are mutually exclusive\n");
@@ -1541,9 +1546,6 @@ int main(int argc, char **argv) {
                else if (strcmp(argv[i], "--machine-id") == 0) {
                        arg_machineid = 1;
                }
-                else if (strcmp(argv[i], "--allow-private-blacklist") == 0) {
-                        fwarning("--allow-private-blacklist was deprecated\n");
-                }
                else if (strcmp(argv[i], "--private") == 0) {
                        arg_private = 1;
                }
@@ -2117,29 +2119,6 @@ int main(int argc, char **argv) {
                }
                else if (strcmp(argv[i], "--appimage") == 0)
                        arg_appimage = 1;
-                else if (strcmp(argv[i], "--csh") == 0) {
-                        if (arg_shell_none) {
-                                fprintf(stderr, "Error: --shell=none was already specified.\n");
-                                return 1;
-                        }
-                        if (cfg.shell) {
-                                fprintf(stderr, "Error: only one default user shell can be specified\n");
-                                return 1;
-                        }
-                        cfg.shell = "/bin/csh";
-                }
-                else if (strcmp(argv[i], "--zsh") == 0) {
-                        if (arg_shell_none) {
-                                fprintf(stderr, "Error: --shell=none was already specified.\n");
-                                return 1;
-                        }
-                        if (cfg.shell) {
-                                fprintf(stderr, "Error: only one default user shell can be specified\n");
-                                return 1;
-                        }
-                        cfg.shell = "/bin/zsh";
-                }
                else if (strcmp(argv[i], "--shell=none") == 0) {
                        arg_shell_none = 1;
                        if (cfg.shell) {
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index ba955bcca..5bd3f7e09 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -167,9 +167,7 @@ void run_no_sandbox(int argc, char **argv) {
        for (i = 0; i < argc; i++) {
                if (strcmp(argv[i], "--debug") == 0)
                        arg_debug = 1;
-                else if (strcmp(argv[i], "--csh") == 0 ||
+                else if (strcmp(argv[i], "--shell=none") == 0 ||
-                    strcmp(argv[i], "--zsh") == 0 ||
-                    strcmp(argv[i], "--shell=none") == 0 ||
                    strncmp(argv[i], "--shell=", 8) == 0)
                        fwarning("shell-related command line options are disregarded - using SHELL environment variable\n");
        }
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 3ef9a1856..156ffa24a 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -257,10 +257,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                arg_nodbus = 1;
                return 0;
        }
-        else if (strcmp(ptr, "allow-private-blacklist") == 0) {
-                fmessage("--allow-private-blacklist was deprecated\n");
-                return 0;
-        }
        else if (strcmp(ptr, "netfilter") == 0) {
 #ifdef HAVE_NETWORK
                if (checkcfg(CFG_NETWORK))
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c
index 5d59afad4..2bb4a2ed7 100644
--- a/src/firejail/run_symlink.c
+++ b/src/firejail/run_symlink.c
@@ -22,7 +22,7 @@
 #include <sys/stat.h>
 #include <unistd.h>
-void run_symlink(int argc, char **argv) {
+void run_symlink(int argc, char **argv, int run_as_is) {
        EUID_ASSERT();
        char *program = strrchr(argv[0], '/');
@@ -33,6 +33,12 @@ void run_symlink(int argc, char **argv) {
        if (strcmp(program, "firejail") == 0) // this is a regular "firejail program" sandbox starting
                return;
+        // drop privileges
+        if (setgid(getgid()) < 0)
+                errExit("setgid/getgid");
+        if (setuid(getuid()) < 0)
+                errExit("setuid/getuid");
        // find the real program by looking in PATH
        char *p = getenv("PATH");
        if (!p) {
@@ -84,20 +90,13 @@ void run_symlink(int argc, char **argv) {
        free(selfpath);
        // desktop integration is not supported for root user; instead, the original program is started
-        if (getuid() == 0) {
+        if (getuid() == 0 || run_as_is) {
                argv[0] = program;
                execv(program, argv);
                exit(1);
        }
        // start the argv[0] program in a new sandbox
-        // drop privileges
-        if (setgid(getgid()) < 0)
-                errExit("setgid/getgid");
-        if (setuid(getuid()) < 0)
-                errExit("setuid/getuid");
-        // run command
        char *a[3 + argc];
        a[0] =PATH_FIREJAIL;
        a[1] = program;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index e0cecda1b..8abdf6b2c 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -668,8 +668,11 @@ int sandbox(void* sandbox_arg) {
        if (arg_nonetwork || any_bridge_configured() || any_interface_configured()) {
                // do nothing - there are problems with ibus version 1.5.11
        }
-        else
+        else {
+                EUID_USER();
                env_ibus_load();
+                EUID_ROOT();
+        }
        //****************************
        // fs pre-processing:
@@ -925,6 +928,8 @@ int sandbox(void* sandbox_arg) {
        // set application environment
        //****************************
        prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died
+        EUID_USER();
        int cwd = 0;
        if (cfg.cwd) {
                if (chdir(cfg.cwd) == 0)
@@ -951,7 +956,7 @@ int sandbox(void* sandbox_arg) {
                }
        }
+        EUID_ROOT();
        // set nice
        if (arg_nice) {
                errno = 0;
@@ -980,7 +985,9 @@ int sandbox(void* sandbox_arg) {
        // set cpu affinity
        if (cfg.cpus) {
                save_cpu(); // save cpu affinity mask to CPU_CFG file
+                EUID_USER();
                set_cpu_affinity();
+                EUID_ROOT();
        }
        // save cgroup in CGROUP_CFG file
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index effbf3751..742fc0465 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -29,8 +29,6 @@ static char *usage_str =
        "Options:\n"
        "    -- - signal the end of options and disables further option processing.\n"
        "    --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n"
-        "    --allow-private-blacklist - allow blacklisting files in private\n"
-        "\thome directories.\n"
        "    --allusers - all user home directories are visible inside the sandbox.\n"
        "    --apparmor - enable AppArmor confinement.\n"
        "    --apparmor.print=name|pid - print apparmor status.\n"
@@ -58,11 +56,9 @@ static char *usage_str =
 #endif
        "    --cpu=cpu-number,cpu-number - set cpu affinity.\n"
        "    --cpu.print=name|pid - print the cpus in use.\n"
-        "    --csh - use /bin/csh as default shell.\n"
        "    --debug - print sandbox debug messages.\n"
        "    --debug-blacklists - debug blacklisting.\n"
        "    --debug-caps - print all recognized capabilities.\n"
-        "    --debug-check-filename - debug filename checking.\n"
        "    --debug-errnos - print all recognized error numbers.\n"
        "    --debug-private-lib - debug for --private-lib option.\n"
        "    --debug-protocols - print all recognized protocols.\n"
@@ -77,7 +73,9 @@ static char *usage_str =
        "    --dns.print=name|pid - print DNS configuration.\n"
        "    --env=name=value - set environment variable.\n"
        "    --fs.print=name|pid - print the filesystem log.\n"
+#ifdef HAVE_FILE_TRANSFER
        "    --get=name|pid filename - get a file from sandbox container.\n"
+#endif
        "    --help, -? - this help screen.\n"
        "    --hostname=name - set sandbox hostname.\n"
        "    --hosts-file=file - use file as /etc/hosts.\n"
@@ -97,7 +95,9 @@ static char *usage_str =
 #endif
        "    --join-or-start=name|pid - join the sandbox or start a new one.\n"
        "    --list - list all sandboxes.\n"
+#ifdef HAVE_FILE_TRANSFER
        "    --ls=name|pid dir_or_filename - list files in sandbox container.\n"
+#endif
 #ifdef HAVE_NETWORK
        "    --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n"
 #endif
@@ -159,13 +159,16 @@ static char *usage_str =
        "\tfilesystem, and copy the files and directories in the list.\n"
        "    --private-tmp - mount a tmpfs on top of /tmp directory.\n"
        "    --private-opt=file,directory - build a new /opt in a temporary filesystem.\n"
+        "    --private-srv=file,directory - build a new /srv in a temporary filesystem.\n"
        "    --profile=filename - use a custom profile.\n"
        "    --profile.print=name|pid - print the name of profile file.\n"
        "    --profile-path=directory - use this directory to look for profile files.\n"
        "    --protocol=protocol,protocol,protocol - enable protocol filter.\n"
        "    --protocol.print=name|pid - print the protocol filter.\n"
+#ifdef HAVE_FILE_TRANSFER
        "    --put=name|pid src-filename dest-filename - put a file in sandbox\n"
        "\tcontainer.\n"
+#endif
        "    --quiet - turn off Firejail's output.\n"
        "    --read-only=filename - set directory or file read-only..\n"
        "    --read-write=filename - set directory or file read-write.\n"
@@ -230,7 +233,6 @@ static char *usage_str =
        "    --x11=xvfb - enable Xvfb X11 server.\n"
        "    --xephyr-screen=WIDTHxHEIGHT - set screen size for --x11=xephyr.\n"
 #endif
-        "    --zsh - use /usr/bin/zsh as default shell.\n"
        "\n"
        "Examples:\n"
        "    $ firejail firefox\n"
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 3437d495f..a44e52e98 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -800,9 +800,6 @@ void invalid_filename(const char *fname, int globbing) {
        assert(fname);
        const char *ptr = fname;
-        if (arg_debug_check_filename)
-                printf("Checking filename %s\n", fname);
        if (strncmp(ptr, "${HOME}", 7) == 0)
                ptr = fname + 7;
        else if (strncmp(ptr, "${PATH}", 7) == 0)
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 7040dea18..8cf4fccf3 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -1078,7 +1078,7 @@ void x11_xorg(void) {
        // check xauth utility is present in the system
        struct stat s;
        if (stat("/usr/bin/xauth", &s) == -1) {
-                fprintf(stderr, "Error: xauth utility not found in PATH.  Please install it:\n"
+                fprintf(stderr, "Error: xauth utility not found in /usr/bin. Please install it:\n"
                        "   Debian/Ubuntu/Mint: sudo apt-get install xauth\n");
                exit(1);
        }
diff --git a/src/firemon/usage.c b/src/firemon/usage.c
index 37bd4e874..a4d642d66 100644
--- a/src/firemon/usage.c
+++ b/src/firemon/usage.c
@@ -43,6 +43,7 @@ static char *help_str =
        "\t--tree - print a tree of all sandboxed processes.\n\n"
        "\t--top - monitor the most CPU-intensive sandboxes.\n\n"
        "\t--version - print program version and exit.\n\n"
+        "\t--x11 - print X11 display number.\n\n"
        "Without any options, firemon monitors all fork, exec, id change, and exit\n"
        "events in the sandbox. Monitoring a specific PID is also supported.\n\n"
diff --git a/src/lib/firejail_user.c b/src/lib/firejail_user.c
index 5d92aa133..09a4da0e7 100644
--- a/src/lib/firejail_user.c
+++ b/src/lib/firejail_user.c
@@ -28,6 +28,7 @@
 #include "../include/common.h"
 #include <sys/types.h>
 #include <pwd.h>
+#include "../../uids.h"
 #define MAXBUF 4098
 static inline char *get_fname(void) {
@@ -41,10 +42,14 @@ static inline char *get_fname(void) {
 int firejail_user_check(const char *name) {
        assert(name);
-        // root allowed by default
+        // root is allowed to run firejail by default
        if (strcmp(name, "root") == 0)
                return 1;
+        // other system users will run the program as is
+        if (getuid() < UID_MIN || strcmp(name, "nobody") == 0)
+                return 0;
        // check file existence
        char *fname = get_fname();
        if (access(fname, F_OK)) {
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index b529f63e3..0217e1353 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -223,7 +223,8 @@ Build a new /bin in a temporary filesystem, and copy the programs in the list.
 The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin.
 .TP
 \fBprivate-dev
-Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, urandom, log and shm devices are available.
+Create a new /dev directory. Only disc, dri, null, full, zero, tty, pts, ptmx,
+random, snd, urandom, video, log and shm devices are available.
 .TP
 \fBprivate-etc file,directory
 Build a new /etc in a temporary
@@ -448,6 +449,12 @@ Run the program directly, without a shell.
 \fBipc-namespace
 Enable IPC namespace.
 .TP
+\fBnodbus
+Disable D-Bus access. Only the regular UNIX socket is handled by
+this command. To disable the abstract socket, you would need to
+request a new network namespace using the net command. Another
+option is to remove unix from protocol set.
+.TP
 \fBnosound
 Disable sound system.
 .TP
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt
index fcc0f914b..c29de0705 100644
--- a/src/man/firejail-users.txt
+++ b/src/man/firejail-users.txt
@@ -5,7 +5,11 @@ firejail.users \- Firejail user access database
 .SH DESCRIPTION
 /etc/firejail/firejail.users lists the users allowed to run firejail SUID executable.
 If the file is not present in the system, all users are allowed to use the sandbox.
-root user is allowed by default.
+root user is allowed by default. Other system users (users with an ID below UID_MIN value
+defined in /etc/login.defs, typically 1000) are not allowed to start the sandbox.
+If the user is not allowed to start the sandbox, Firejail will attempt to run the
+program without sandboxing it.
 Example:
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 6e8e4eb2c..d8fed1f31 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -314,15 +314,6 @@ $ firejail \-\-list
 $ firejail \-\-cpu.print=3272
 .TP
-\fB\-\-csh
-Use /bin/csh as default user shell.
-.br
-.br
-Example:
-.br
-$ firejail \-\-csh
-.TP
 \fB\-\-debug\fR
 Print debug messages.
 .br
@@ -351,15 +342,6 @@ Print all recognized capabilities in the current Firejail software build and exi
 Example:
 .br
 $ firejail \-\-debug-caps
-.TP
-\fB\-\-debug-check-filename\fR
-Debug filename checking.
-.br
-.br
-Example:
-.br
-$ firejail \-\-debug-check-filename firefox
 .TP
 \fB\-\-debug-errnos
@@ -1620,20 +1602,16 @@ $ firejail \-\-net=eth0 \-\-scan
 .TP
 \fB\-\-seccomp
 Enable seccomp filter and blacklist the syscalls in the default list (@default). The default list is as follows:
-mount, umount2, ptrace, kexec_load, kexec_file_load, name_to_handle_at, open_by_handle_at, create_module, init_module, finit_module, delete_module,
+_sysctl, acct, add_key, adjtimex, afs_syscall, bdflush, bpf, break, chroot, clock_adjtime, clock_settime,
-iopl, ioperm, ioprio_set, swapon, swapoff, syslog, process_vm_readv, process_vm_writev,
+create_module, delete_module, fanotify_init, finit_module, ftime, get_kernel_syms, getpmsg, gtty, init_module,
-sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp,
+io_cancel, io_destroy, io_getevents, io_setup, io_submit, ioperm, iopl, ioprio_set, kcmp, kexec_file_load,
-add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup,
+kexec_load, keyctl, lock, lookup_dcookie, mbind, mfsservctl, migrate_pages, modify_ldt, mount, move_pages, mpx,
-io_destroy, io_getevents, io_submit, io_cancel,
+name_to_handle_at, open_by_handle_at, pciconfig_iobase, pciconfig_read, pciconfig_write, perf_event_open,
-remap_file_pages, mbind, set_mempolicy,
+personality, pivot_root, process_vm_readv, process_vm_writev, process_vm_writev, prof, profil, ptrace, putpmsg,
-migrate_pages, move_pages, vmsplice, chroot,
+query_module, reboot, remap_file_pages, request_key, rtas, s390_mmio_read, s390_mmio_write, s390_runtime_instr,
-tuxcall, reboot, mfsservctl, get_kernel_syms,
+security, set_mempolicy, setdomainname, sethostname, settimeofday, sgetmask, ssetmask, stime, stty, subpage_prot,
-bpf, clock_settime, personality, process_vm_writev, query_module,
+swapoff, swapon, switch_endian, sysfs, syslog, tuxcall, ulimit, umount, umount2, uselib, userfaultfd, ustat, vhangup,
-settimeofday, stime, umount, userfaultfd, ustat, vm86, vm86old,
+vm86, vm86old, vmsplice and vserver.
-afs_syscall, bdflush, break, ftime, getpmsg, gtty, lock, mpx, pciconfig_iobase, pciconfig_read,
-pciconfig_write, prof, profil, putpmsg, rtas, s390_runtime_instr, s390_mmio_read, s390_mmio_write,
-security, setdomainname,  sethostname, sgetmask, ssetmask, stty, subpage_prot, switch_endian,
-ulimit, vhangup and vserver.
 .br
 To help creating useful seccomp filters more easily, the following
@@ -1716,7 +1694,7 @@ Bad system call
 .br
 .TP
-\fB\-\-seccomp.block_secondary
+\fB\-\-seccomp.block-secondary
 Enable seccomp filter and filter system call architectures so that
 only the native architecture is allowed. For example, on amd64, i386
 and x32 system calls are blocked as well as changing the execution
@@ -1949,8 +1927,7 @@ $ firejail \-\-shell=none script.sh
 \fB\-\-shell=program
 Set default user shell. Use this shell to run the application using \-c shell option.
 For example "firejail \-\-shell=/bin/dash firefox" will start Mozilla Firefox as "/bin/dash \-c firefox".
-By default Bash shell (/bin/bash) is used. Options such as \-\-zsh and \-\-csh can also set the default
+By default Bash shell (/bin/bash) is used.
-shell.
 .br
 .br
@@ -2324,16 +2301,6 @@ Example:
 $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 firefox
 .br
-.TP
-\fB\-\-zsh
-Use /usr/bin/zsh as default user shell.
-.br
-.br
-Example:
-.br
-$ firejail \-\-zsh
 .SH DESKTOP INTEGRATION
 A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox.
 The symbolic link should be placed in the first $PATH position. On most systems, a good place
diff --git a/test/appimage/appimage-args.exp b/test/appimage/appimage-args.exp
index dcf16452f..0ec07c1ad 100755
--- a/test/appimage/appimage-args.exp
+++ b/test/appimage/appimage-args.exp
@@ -56,7 +56,7 @@ expect {
 sleep 2
 spawn $env(SHELL)
-send -- "firemon --seccomp\r"
+send -- "firemon --seccomp --nowrap\r"
 expect {
        timeout {puts "TESTING ERROR 8\n";exit}
        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
@@ -71,7 +71,7 @@ expect {
        "name=blablabla"
 }
 after 100
-send -- "firemon --caps\r"
+send -- "firemon --caps --nowrap\r"
 expect {
        timeout {puts "TESTING ERROR 11\n";exit}
        "appimage Leafpad"
diff --git a/test/appimage/appimage-v1.exp b/test/appimage/appimage-v1.exp
index 073c32dab..90b13b9ff 100755
--- a/test/appimage/appimage-v1.exp
+++ b/test/appimage/appimage-v1.exp
@@ -44,7 +44,7 @@ expect {
 sleep 2
 spawn $env(SHELL)
-send -- "firemon --seccomp\r"
+send -- "firemon --seccomp --nowrap\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
@@ -59,7 +59,7 @@ expect {
        "name=blablabla"
 }
 after 100
-send -- "firemon --caps\r"
+send -- "firemon --caps --nowrap\r"
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
        "appimage Leafpad"
diff --git a/test/environment/csh.exp b/test/environment/csh.exp
index 10a278ebc..7b5ab9b33 100755
--- a/test/environment/csh.exp
+++ b/test/environment/csh.exp
@@ -1,49 +1,31 @@
 #!/usr/bin/expect -f
-# This file is part of Firejail project
-# Copyright (C) 2014-2018 Firejail Authors
-# License GPL v2
 set timeout 10
+cd /home
 spawn $env(SHELL)
 match_max 100000
-send -- "firejail --private --tracelog --csh\r"
+send -- "firejail --private --shell=/bin/csh\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "Child process initialized"
 }
 sleep 1
-send -- "find ~\r"
+send -- "env | grep SHELL;pwd\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
-        ".cshrc"
+        "SHELL"
-}
-send -- "env | grep SHELL\r"
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "SHELL"
 }
 expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
+        timeout {puts "TESTING ERROR 2\n";exit}
        "/bin/csh"
 }
-send -- "exit\r"
-sleep 1
-send -- "firejail --shell=none --csh\r"
 expect {
        timeout {puts "TESTING ERROR 3\n";exit}
-        "shell=none was already specified"
+        "home"
-}
-after 100
-send -- "firejail --csh --shell=none\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "a shell was already specified"
 }
+send -- "exit\r"
 after 100
-puts "\n"
+puts "\nall done\n"
diff --git a/test/environment/zsh.exp b/test/environment/zsh.exp
index e7f610e98..a1b94a326 100755
--- a/test/environment/zsh.exp
+++ b/test/environment/zsh.exp
@@ -1,49 +1,31 @@
 #!/usr/bin/expect -f
-# This file is part of Firejail project
-# Copyright (C) 2014-2018 Firejail Authors
-# License GPL v2
 set timeout 10
+cd /home
 spawn $env(SHELL)
 match_max 100000
-send -- "firejail --private --tracelog --zsh\r"
+send -- "firejail --private --shell=/bin/zsh\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "Child process initialized"
 }
 sleep 1
-send -- "find ~\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        ".zshrc"
-}
 send -- "env | grep SHELL;pwd\r"
 expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
+        timeout {puts "TESTING ERROR 1\n";exit}
        "SHELL"
 }
 expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
+        timeout {puts "TESTING ERROR 2\n";exit}
        "/bin/zsh"
 }
-send -- "exit\r"
-sleep 1
-send -- "firejail --shell=none --zsh\r"
 expect {
        timeout {puts "TESTING ERROR 3\n";exit}
-        "shell=none was already specified"
+        "home"
-}
-after 100
-send -- "firejail --zsh --shell=none\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "a shell was already specified"
 }
+send -- "exit\r"
 after 100
 puts "\nall done\n"
diff --git a/test/root/private.exp b/test/root/private.exp
index 784761fc8..e3d3245ae 100755
--- a/test/root/private.exp
+++ b/test/root/private.exp
@@ -54,6 +54,21 @@ expect {
 after 100
 send -- "exit\r"
 sleep 1
+send -- "firejail --whitelist=/opt/firejail-test-file --whitelist=/opt/firejail-test-dir --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "find /opt | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 4.1\n";exit}
+        "4"
+}
+after 100
+send -- "exit\r"
+sleep 1
 send -- "touch /srv/firejail-test-file\r"
@@ -77,14 +92,20 @@ expect {
 after 100
 send -- "exit\r"
 sleep 1
+send -- "firejail --whitelist=/srv/firejail-test-file --whitelist=/srv/firejail-test-dir --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "find /srv | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "4"
+}
+after 100
+send -- "exit\r"
+sleep 1
 puts "\nall done\n"