25 files changed, 292 insertions, 191 deletions

diff --git a/README b/README
index c94560026..67d9a555f 100644
--- a/README
+++ b/README
@@ -97,6 +97,10 @@ valoq (https://github.com/valoq)
         - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles
         - added wget profile
         - disable gnupg and systemd directories under /run/user
+Mike Frysinger (vapier@gentoo.org)
+        - Gentoo compile patch
+Jericho (https://github.com/attritionorg)
+        - spelling
 Pixel Fairy (https://github.com/xahare)
         - added fjclip.py, fjdisplay.py and fjresize.py in contrib section
 pshpsh (https://github.com/pshpsh)
@@ -108,6 +112,7 @@ thewisenerd (https://github.com/thewisenerd)
         - use $SHELL variable if the shell is not specified
 SYN-cook (https://github.com/SYN-cook)
         - keepass/keepassx browser fixes
+        - disable-common.inc fixes
 thewisenerd (https://github.com/thewisenerd)
         - appimage: pass commandline arguments
 KOLANICH (https://github.com/KOLANICH)
@@ -217,6 +222,8 @@ KellerFuchs (https://github.com/KellerFuchs)
         - nonewpriv support, extended profiles for this feature
         - make `restricted-network` prevent use of netfilter
         - disable-common.inc additions
+        - make mutt and msmtp's rc files read-only
+        - added support for .local profile files in /etc/firejail
 ValdikSS (https://github.com/ValdikSS)
         - Psi+, Corebird, Konversation profiles
         - various profile fixes
@@ -296,6 +303,7 @@ Ivan Kozik (https://github.com/ivan)
         - speed up sandbox exit
 Christian Stadelmann (https://github.com/genodeftest)
         - profile fixes
+        - evolution profile fix
 pirate486743186 (https://github.com/pirate486743186)
         - KMail profile
 Kaan Genç (https://github.com/SeriousBug)
diff --git a/RELNOTES b/RELNOTES
index a14200a0f..7d0bbaf61 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,12 +1,13 @@
 firejail (0.9.45) baseline; urgency=low
   * development version, work in progress
+  * Gentoo compile patch
   * security: --bandwidth root shell found by Martin Carpenter (CVE-2017-5207)
   * security: disabled --allow-debuggers when running on kernel
     versions prior to 4.8; a kernel bug in ptrace system call
     allows a full bypass of seccomp filter; problem reported by Lizzie Dixon
     (CVE-2017-5206)
   * security: overwrite /etc/resolv.conf found by Martin Carpenter (CVE-2016-10118)
-  * secuirty: TOCTOU exploit for --get and --put found by Daniel Hodson
+  * security: TOCTOU exploit for --get and --put found by Daniel Hodson
   * security: invalid environment exploit found by Martin Carpenter (CVE-2016-10122)
   * security: split most of networking code in a separate executable
   * security: split seccomp filter code configuration in a separate executable
@@ -24,6 +25,7 @@ firejail (0.9.45) baseline; urgency=low
   * feature: --allow-private-blacklist option
   * feature: allow non-seccomp setup for OverlayFS sandboxes
   * feature: added a number o Python scripts for handling sandboxes
+  * feature: allow local customization using .local files under /etc/firejail
   * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire,
   * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma,
   * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator,
diff --git a/etc/Cryptocat.profile b/etc/Cryptocat.profile
index 3db34c03c..b61b88f68 100644
--- a/etc/Cryptocat.profile
+++ b/etc/Cryptocat.profile
@@ -1,4 +1,4 @@
-# Firejail profile for 
+# Firejail profile for Cryptocat
 noblacklist ${HOME}/.config/Cryptocat
 
 include /etc/firejail/disable-common.inc
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 184885c7f..ac32f07e7 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -1,3 +1,6 @@
+# Local customizations come here
+include /etc/firejail/disable-common.local
+
 # History files in $HOME
 blacklist-nolog ${HOME}/.history
 blacklist-nolog ${HOME}/.*_history
@@ -81,6 +84,7 @@ read-only ${HOME}/.profile
 read-only ${HOME}/.antigen
 read-only ${HOME}/.bash_login
 read-only ${HOME}/.bashrc
+read-only ${HOME}/.bash_aliases
 read-only ${HOME}/.bash_profile
 read-only ${HOME}/.bash_logout
 read-only ${HOME}/.zsh.d
@@ -101,6 +105,9 @@ read-only ${HOME}/.caffrc
 read-only ${HOME}/.dotfiles
 read-only ${HOME}/dotfiles
 read-only ${HOME}/.mailcap
+read-only ${HOME}/.muttrc
+read-only ${HOME}/.mutt/muttrc
+read-only ${HOME}/.msmtprc
 read-only ${HOME}/.exrc
 read-only ${HOME}/_exrc
 read-only ${HOME}/.vimrc
@@ -134,6 +141,7 @@ blacklist ${HOME}/.Private
 blacklist ${HOME}/.ssh
 blacklist ${HOME}/.cert
 blacklist ${HOME}/.gnome2/keyrings
+blacklist ${HOME}/.local/share/keyrings
 blacklist ${HOME}/.kde4/share/apps/kwallet
 blacklist ${HOME}/.kde/share/apps/kwallet
 blacklist ${HOME}/.local/share/kwalletd
diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc
index 2ac367f37..07fc3928c 100644
--- a/etc/disable-devel.inc
+++ b/etc/disable-devel.inc
@@ -1,3 +1,6 @@
+# Local customizations come here
+include /etc/firejail/disable-devel.local
+
 # development tools
 
 # GCC
diff --git a/etc/disable-passwdmgr.inc b/etc/disable-passwdmgr.inc
index 045b4d92b..7d129b2e4 100644
--- a/etc/disable-passwdmgr.inc
+++ b/etc/disable-passwdmgr.inc
@@ -1,3 +1,6 @@
+# Local customizations come here
+include /etc/firejail/disable-passwdmgr.local
+
 blacklist ${HOME}/.pki/nssdb
 blacklist ${HOME}/.lastpass
 blacklist ${HOME}/.keepassx
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index e5eb4f857..b307978da 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -1,3 +1,6 @@
+# Local customizations come here
+include /etc/firejail/disable-programs.local
+
 blacklist ${HOME}/.*coin
 blacklist ${HOME}/.8pecxstudios
 blacklist ${HOME}/.Atom
@@ -174,8 +177,17 @@ blacklist ${HOME}/.icedove
 blacklist ${HOME}/.inkscape
 blacklist ${HOME}/.jitsi
 blacklist ${HOME}/.kde/share/apps/gwenview
+blacklist ${HOME}/.kde/share/apps/kcookiejar
+blacklist ${HOME}/.kde/share/apps/khtml
+blacklist ${HOME}/.kde/share/apps/konqsidebartng
+blacklist ${HOME}/.kde/share/apps/konqueror
 blacklist ${HOME}/.kde/share/apps/okular
 blacklist ${HOME}/.kde/share/config/gwenviewrc
+blacklist ${HOME}/.kde/share/config/kcookiejarrc
+blacklist ${HOME}/.kde/share/config/khtmlrc
+blacklist ${HOME}/.kde/share/config/konq_history
+blacklist ${HOME}/.kde/share/config/konqsidebartngrc
+blacklist ${HOME}/.kde/share/config/konquerorrc
 blacklist ${HOME}/.kde/share/config/okularpartrc
 blacklist ${HOME}/.kde/share/config/okularrc
 blacklist ${HOME}/.killingfloor
diff --git a/etc/evolution.profile b/etc/evolution.profile
index ab6dd7a4a..1707e562b 100644
--- a/etc/evolution.profile
+++ b/etc/evolution.profile
@@ -6,6 +6,9 @@ noblacklist ~/.pki
 noblacklist ~/.pki/nssdb
 noblacklist ~/.gnupg
 
+noblacklist /var/spool/mail
+noblacklist /var/mail
+
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/uzbl-browser.profile b/etc/uzbl-browser.profile
new file mode 100644
index 000000000..1346b7fc2
--- /dev/null
+++ b/etc/uzbl-browser.profile
@@ -0,0 +1,27 @@
+# Firejail profile for uzbl-browser
+
+noblacklist ~/.config/uzbl
+noblacklist ~/.cache/uzbl
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+tracelog
+
+mkdir ~/.config/uzbl
+whitelist ~/.config/uzbl
+mkdir ~/.cache/uzbl
+whitelist ~/.cache/uzbl
+mkdir ~/.local/share/uzbl
+whitelist ~/.local/share/uzbl
+
+whitelist ${DOWNLOADS}
+
+include /etc/firejail/whitelist-common.inc
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc
index d4e69948e..cf7797100 100644
--- a/etc/whitelist-common.inc
+++ b/etc/whitelist-common.inc
@@ -1,3 +1,6 @@
+# Local customizations come here
+include /etc/firejail/whitelist-common.local
+
 # common whitelist for all profiles
 
 whitelist ~/.XCompose
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 36cf47435..722d5c05e 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -105,7 +105,7 @@
 #define ASSERT_PERMS_FD(fd, uid, gid, mode) \
         do { \
                 struct stat s;\
-                if (stat(fd, &s) == -1) errExit("stat");\
+                if (fstat(fd, &s) == -1) errExit("fstat");\
                 assert(s.st_uid == uid);\
                 assert(s.st_gid == gid);\
                 assert((s.st_mode & 07777) == (mode));\
@@ -403,7 +403,7 @@ char *fs_check_overlay_dir(const char *subdirname, int allow_reuse);
 void fs_overlayfs(void);
 // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf
 void fs_chroot(const char *rootdir);
-int fs_check_chroot_dir(const char *rootdir);
+void fs_check_chroot_dir(const char *rootdir);
 
 // profile.c
 // find and read the profile specified by name from dir directory
@@ -450,6 +450,8 @@ void logmsg(const char *msg);
 void logargs(int argc, char **argv) ;
 void logerr(const char *msg);
 int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
+void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
+void touch_file_as_user(const char *fname, uid_t uid, gid_t gid, mode_t mode);
 int is_dir(const char *fname);
 int is_link(const char *fname);
 char *line_remove_spaces(const char *buf);
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index e2fc09533..0da4cc111 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -711,10 +711,36 @@ char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) {
         // create ~/.firejail directory
         if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1)
                 errExit("asprintf");
+                
+        if (is_link(dirname)) {
+                fprintf(stderr, "Error: invalid ~/.firejail directory\n");
+                exit(1);
+        }
         if (stat(dirname, &s) == -1) {
-                mkdir_attr(dirname, 0700, 0, 0);
+                // create directory
+                pid_t child = fork();
+                if (child < 0)
+                        errExit("fork");
+                if (child == 0) {
+                        // drop privileges
+                        drop_privs(0);
+        
+                        // create directory
+                        if (mkdir(dirname, 0700))
+                                errExit("mkdir");
+                        if (chmod(dirname, 0700) == -1)
+                                errExit("chmod");
+                        ASSERT_PERMS(dirname, getuid(), getgid(), 0700);
+                        _exit(0);
+                }
+                // wait for the child to finish
+                waitpid(child, NULL, 0);
+                if (stat(dirname, &s) == -1) {
+                        fprintf(stderr, "Error: cannot create ~/.firejail directory\n");
+                        exit(1);
+                }
         }
-        else if (is_link(dirname)) {
+        else if (s.st_uid != getuid()) {
                 fprintf(stderr, "Error: invalid ~/.firejail directory\n");
                 exit(1);
         }
@@ -994,20 +1020,25 @@ void fs_overlayfs(void) {
 
 #ifdef HAVE_CHROOT              
 // return 1 if error
-int fs_check_chroot_dir(const char *rootdir) {
+void fs_check_chroot_dir(const char *rootdir) {
         EUID_ASSERT();
         assert(rootdir);
         struct stat s;
         char *name;
 
+        if (strcmp(rootdir, "/tmp") == 0 || strcmp(rootdir, "/var/tmp") == 0) {
+                fprintf(stderr, "Error: invalid chroot directory\n");
+                exit(1);
+        }
+
         // rootdir has to be owned by root
         if (stat(rootdir, &s) != 0) {
                 fprintf(stderr, "Error: cannot find chroot directory\n");
-                return 1;
+                exit(1);
         }
         if (s.st_uid != 0) {
                 fprintf(stderr, "Error: chroot directory should be owned by root\n");
-                return 1;
+                exit(1);
         }
 
         // check /dev
@@ -1015,7 +1046,11 @@ int fs_check_chroot_dir(const char *rootdir) {
                 errExit("asprintf");
         if (stat(name, &s) == -1) {
                 fprintf(stderr, "Error: cannot find /dev in chroot directory\n");
-                return 1;
+                exit(1);
+        }
+        if (s.st_uid != 0) {
+                fprintf(stderr, "Error: chroot /dev directory should be owned by root\n");
+                exit(1);
         }
         free(name);
 
@@ -1024,7 +1059,11 @@ int fs_check_chroot_dir(const char *rootdir) {
                 errExit("asprintf");
         if (stat(name, &s) == -1) {
                 fprintf(stderr, "Error: cannot find /var/tmp in chroot directory\n");
-                return 1;
+                exit(1);
+        }
+        if (s.st_uid != 0) {
+                fprintf(stderr, "Error: chroot /var/tmp directory should be owned by root\n");
+                exit(1);
         }
         free(name);
         
@@ -1033,7 +1072,11 @@ int fs_check_chroot_dir(const char *rootdir) {
                 errExit("asprintf");
         if (stat(name, &s) == -1) {
                 fprintf(stderr, "Error: cannot find /proc in chroot directory\n");
-                return 1;
+                exit(1);
+        }
+        if (s.st_uid != 0) {
+                fprintf(stderr, "Error: chroot /proc directory should be owned by root\n");
+                exit(1);
         }
         free(name);
         
@@ -1042,18 +1085,41 @@ int fs_check_chroot_dir(const char *rootdir) {
                 errExit("asprintf");
         if (stat(name, &s) == -1) {
                 fprintf(stderr, "Error: cannot find /tmp in chroot directory\n");
-                return 1;
+                exit(1);
+        }
+        if (s.st_uid != 0) {
+                fprintf(stderr, "Error: chroot /tmp directory should be owned by root\n");
+                exit(1);
+        }
+        free(name);
+
+        // check /etc
+        if (asprintf(&name, "%s/etc", rootdir) == -1)
+                errExit("asprintf");
+        if (stat(name, &s) == -1) {
+                fprintf(stderr, "Error: cannot find /etc in chroot directory\n");
+                exit(1);
+        }
+        if (s.st_uid != 0) {
+                fprintf(stderr, "Error: chroot /etc directory should be owned by root\n");
+                exit(1);
         }
         free(name);
 
-        // check /bin/bash
-//      if (asprintf(&name, "%s/bin/bash", rootdir) == -1)
-//              errExit("asprintf");
-//      if (stat(name, &s) == -1) {
-//              fprintf(stderr, "Error: cannot find /bin/bash in chroot directory\n");
-//              return 1;
-//      }
-//      free(name);
+        // check /etc/resolv.conf
+        if (asprintf(&name, "%s/etc/resolv.conf", rootdir) == -1)
+                errExit("asprintf");
+        if (stat(name, &s) == 0) {
+                if (s.st_uid != 0) {
+                        fprintf(stderr, "Error: chroot /etc/resolv.conf should be owned by root\n");
+                        exit(1);
+                }
+        }
+        if (is_link(name)) {
+                fprintf(stderr, "Error: invalid %s file\n", name);
+                exit(1);
+        }
+        free(name);
 
         // check x11 socket directory
         if (getenv("FIREJAIL_X11")) {
@@ -1063,12 +1129,14 @@ int fs_check_chroot_dir(const char *rootdir) {
                         errExit("asprintf");
                 if (stat(name, &s) == -1) {
                         fprintf(stderr, "Error: cannot find /tmp/.X11-unix in chroot directory\n");
-                        return 1;
+                        exit(1);
+                }
+                if (s.st_uid != 0) {
+                        fprintf(stderr, "Error: chroot /tmp/.X11-unix directory should be owned by root\n");
+                        exit(1);
                 }
                 free(name);
         }
-        
-        return 0;       
 }
 
 // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf
@@ -1099,10 +1167,16 @@ void fs_chroot(const char *rootdir) {
                         free(newx11);
                 }
                 
+                // some older distros don't have a /run directory
+                // create one by default
                 // create /run/firejail directory in chroot
                 char *rundir;
                 if (asprintf(&rundir, "%s/run", rootdir) == -1)
                         errExit("asprintf");
+                if (is_link(rundir)) {
+                        fprintf(stderr, "Error: invalid run directory inside chroot\n");
+                        exit(1);
+                }
                 create_empty_dir_as_root(rundir, 0755);
                 free(rundir);
                 if (asprintf(&rundir, "%s/run/firejail", rootdir) == -1)
@@ -1129,7 +1203,7 @@ void fs_chroot(const char *rootdir) {
                         fprintf(stderr, "Error: invalid %s file\n", fname);
                         exit(1);
                 }
-                if (copy_file("/etc/resolv.conf", fname, 0, 0, 0644) == -1)
+                if (copy_file("/etc/resolv.conf", fname, 0, 0, 0644) == -1) // root needed
                         fprintf(stderr, "Warning: /etc/resolv.conf not initialized\n");
         }
         
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index d710e98f2..bd9b9e828 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -28,6 +28,7 @@
 #ifndef _BSD_SOURCE
 #define _BSD_SOURCE 
 #endif
+#include <sys/sysmacros.h>
 #include <sys/types.h>
 
 typedef struct {
@@ -51,7 +52,7 @@ static DevEntry dev[] = {
         {"/dev/nvidia8", RUN_DEV_DIR "/nvidia8", 0, 1},
         {"/dev/nvidia9", RUN_DEV_DIR "/nvidia9", 0, 1},
         {"/dev/nvidiactl", RUN_DEV_DIR "/nvidiactl", 0, 1},
-        {"/dev/nvidia-modset", RUN_DEV_DIR "/nvidia-modset", 0, 1},
+        {"/dev/nvidia-modeset", RUN_DEV_DIR "/nvidia-modeset", 0, 1},
         {"/dev/nvidia-uvm", RUN_DEV_DIR "/nvidia-uvm", 0, 1},
         {NULL, NULL, 0, 0}
 };
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index 479383af2..f14e90deb 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -31,8 +31,8 @@ void fs_machineid(void) {
                 uint32_t u32[4];
         } mid;
 
-        // if --machine-id flag is active, do nothing
-        if (arg_machineid)
+        // if --machine-id flag is inactive, do nothing
+        if (arg_machineid == 0)
                 return;
 
         // init random number generator
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 4de082b06..8a52314ed 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -42,19 +42,17 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                 // don't copy it if we already have the file
                 if (stat(fname, &s) == 0)
                         return;
+                if (is_link(fname)) { // stat on dangling symlinks fails, try again using lstat
+                        fprintf(stderr, "Error: invalid %s file\n", fname);
+                        exit(1);
+                }
                 if (stat("/etc/skel/.zshrc", &s) == 0) {
-                        if (copy_file("/etc/skel/.zshrc", fname, u, g, 0644) == 0) {
-                                fs_logger("clone /etc/skel/.zshrc");
-                        }
+                        copy_file_as_user("/etc/skel/.zshrc", fname, u, g, 0644); // regular user
+                        fs_logger("clone /etc/skel/.zshrc");
                 }
-                else { // 
-                        FILE *fp = fopen(fname, "w");
-                        if (fp) {
-                                fprintf(fp, "\n");
-                                SET_PERMS_STREAM(fp, u, g, S_IRUSR | S_IWUSR);
-                                fclose(fp);
-                                fs_logger2("touch", fname);
-                        }
+                else {
+                        touch_file_as_user(fname, u, g, 0644);
+                        fs_logger2("touch", fname);
                 }
                 free(fname);
         }
@@ -64,23 +62,21 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                 if (asprintf(&fname, "%s/.cshrc", homedir) == -1)
                         errExit("asprintf");
                 struct stat s;
+                
                 // don't copy it if we already have the file
                 if (stat(fname, &s) == 0)
                         return;
+                if (is_link(fname)) { // stat on dangling symlinks fails, try again using lstat
+                        fprintf(stderr, "Error: invalid %s file\n", fname);
+                        exit(1);
+                }
                 if (stat("/etc/skel/.cshrc", &s) == 0) {
-                        if (copy_file("/etc/skel/.cshrc", fname, u, g, 0644) == 0) {
-                                fs_logger("clone /etc/skel/.cshrc");
-                        }
+                        copy_file_as_user("/etc/skel/.cshrc", fname, u, g, 0644); // regular user
+                        fs_logger("clone /etc/skel/.cshrc");
                 }
-                else { // 
-                        /* coverity[toctou] */
-                        FILE *fp = fopen(fname, "w");
-                        if (fp) {
-                                fprintf(fp, "\n");
-                                SET_PERMS_STREAM(fp, u, g, S_IRUSR | S_IWUSR);
-                                fclose(fp);
-                                fs_logger2("touch", fname);
-                        }
+                else {
+                        touch_file_as_user(fname, u, g, 0644);
+                        fs_logger2("touch", fname);
                 }
                 free(fname);
         }
@@ -93,10 +89,13 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                 // don't copy it if we already have the file
                 if (stat(fname, &s) == 0) 
                         return;
+                if (is_link(fname)) { // stat on dangling symlinks fails, try again using lstat
+                        fprintf(stderr, "Error: invalid %s file\n", fname);
+                        exit(1);
+                }
                 if (stat("/etc/skel/.bashrc", &s) == 0) {
-                        if (copy_file("/etc/skel/.bashrc", fname, u, g, 0644) == 0) {
-                                fs_logger("clone /etc/skel/.bashrc");
-                        }
+                        copy_file_as_user("/etc/skel/.bashrc", fname, u, g, 0644); // regular user
+                        fs_logger("clone /etc/skel/.bashrc");
                 }
                 free(fname);
         }
@@ -106,7 +105,7 @@ static int store_xauthority(void) {
         // put a copy of .Xauthority in XAUTHORITY_FILE
         char *src;
         char *dest = RUN_XAUTHORITY_FILE;
-        // create an empty file 
+        // create an empty file as root, and change ownership to user
         FILE *fp = fopen(dest, "w");
         if (fp) {
                 fprintf(fp, "\n");
@@ -124,27 +123,8 @@ static int store_xauthority(void) {
                         return 0;
                 }
 
-                pid_t child = fork();
-                if (child < 0)
-                        errExit("fork");
-                if (child == 0) {
-                        // drop privileges
-                        drop_privs(0);
-        
-                        // copy, set permissions and ownership
-                        int rv = copy_file(src, dest, getuid(), getgid(), 0600);
-                        if (rv)
-                                fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n");
-                        else {
-                                fs_logger2("clone", dest);
-                        }
-#ifdef HAVE_GCOV
-                        __gcov_flush();
-#endif
-                        _exit(0);
-                }
-                // wait for the child to finish
-                waitpid(child, NULL, 0);
+                copy_file_as_user(src, dest, getuid(), getgid(), 0600); // regular user
+                fs_logger2("clone", dest);
                 return 1; // file copied
         }
         
@@ -152,9 +132,10 @@ static int store_xauthority(void) {
 }
 
 static int store_asoundrc(void) {
+        // put a copy of .Xauthority in XAUTHORITY_FILE
         char *src;
         char *dest = RUN_ASOUNDRC_FILE;
-        // create an empty file 
+        // create an empty file as root, and change ownership to user
         FILE *fp = fopen(dest, "w");
         if (fp) {
                 fprintf(fp, "\n");
@@ -182,27 +163,8 @@ static int store_asoundrc(void) {
                         free(rp);
                 }
 
-                pid_t child = fork();
-                if (child < 0)
-                        errExit("fork");
-                if (child == 0) {
-                        // drop privileges
-                        drop_privs(0);
-        
-                        // copy, set permissions and ownership
-                        int rv = copy_file(src, dest, getuid(), getgid(), 0644);
-                        if (rv)
-                                fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n");
-                        else {
-                                fs_logger2("clone", dest);
-                        }
-#ifdef HAVE_GCOV
-                        __gcov_flush();
-#endif
-                        _exit(0);
-                }
-                // wait for the child to finish
-                waitpid(child, NULL, 0);
+                copy_file_as_user(src, dest, getuid(), getgid(), 0644); // regular user
+                fs_logger2("clone", dest);
                 return 1; // file copied
         }
         
@@ -222,27 +184,8 @@ static void copy_xauthority(void) {
                 exit(1);
         }
 
-        pid_t child = fork();
-        if (child < 0)
-                errExit("fork");
-        if (child == 0) {
-                // drop privileges
-                drop_privs(0);
-
-                // copy, set permissions and ownership
-                int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR);
-                if (rv)
-                        fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n");
-                else {
-                        fs_logger2("clone", dest);
-                }
-#ifdef HAVE_GCOV
-                __gcov_flush();
-#endif
-                _exit(0);
-        }
-        // wait for the child to finish
-        waitpid(child, NULL, 0);
+        copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user
+        fs_logger2("clone", dest);
         
         // delete the temporary file
         unlink(src);
@@ -261,27 +204,8 @@ static void copy_asoundrc(void) {
                 exit(1);
         }
 
-        pid_t child = fork();
-        if (child < 0)
-                errExit("fork");
-        if (child == 0) {
-                // drop privileges
-                drop_privs(0);
-
-                // copy, set permissions and ownership
-                int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR);
-                if (rv)
-                        fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n");
-                else {
-                        fs_logger2("clone", dest);
-                }
-#ifdef HAVE_GCOV
-                __gcov_flush();
-#endif
-                _exit(0);
-        }
-        // wait for the child to finish
-        waitpid(child, NULL, 0);
+        copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user
+        fs_logger2("clone", dest);
 
         // delete the temporary file
         unlink(src);
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c
index 5b6ceae90..d29f58a58 100644
--- a/src/firejail/fs_mkdir.c
+++ b/src/firejail/fs_mkdir.c
@@ -112,33 +112,8 @@ void fs_mkfile(const char *name) {
         }
 
         // create file
-        pid_t child = fork();
-        if (child < 0)
-                errExit("fork");
-        if (child == 0) {
-                // drop privileges
-                drop_privs(0);
-
-                /* coverity[toctou] */
-                FILE *fp = fopen(expanded, "w");
-                if (!fp)
-                        fprintf(stderr, "Warning: cannot create %s file\n", expanded);
-                else {
-                        int fd = fileno(fp);
-                        if (fd == -1)
-                                errExit("fileno");
-                        int rv = fchmod(fd, 0600);
-                        (void) rv;
-                        fclose(fp);
-                }
-#ifdef HAVE_GCOV
-                __gcov_flush();
-#endif
-                _exit(0);
-        }
-        // wait for the child to finish
-        waitpid(child, NULL, 0);
-
+        touch_file_as_user(expanded, getuid(), getgid(), 0600);
+        
 doexit:
         free(expanded);
 }
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
index 77eb35f97..1af56751a 100644
--- a/src/firejail/ls.c
+++ b/src/firejail/ls.c
@@ -336,7 +336,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                         drop_privs(0);
                         
                         // copy the file
-                        if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600))
+                        if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user
                                 _exit(1);
 #ifdef HAVE_GCOV
                         __gcov_flush();
@@ -362,7 +362,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                         drop_privs(0);
                         
                         // copy the file
-                        if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600))
+                        if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user
                                 _exit(1);
 #ifdef HAVE_GCOV
                         __gcov_flush();
@@ -411,7 +411,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                         drop_privs(0);
                         
                         // copy the file
-                        if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600))
+                        if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user
                                 _exit(1);
 #ifdef HAVE_GCOV
                         __gcov_flush();
@@ -443,7 +443,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                         drop_privs(0);
                         
                         // copy the file
-                        if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600))
+                        if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user
                                 _exit(1);
 #ifdef HAVE_GCOV
                         __gcov_flush();
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 3a347b3d9..84bf5e8e6 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1468,13 +1468,10 @@ int main(int argc, char **argv) {
                                         fprintf(stderr, "Error: invalid chroot directory\n");
                                         exit(1);
                                 }
-                                free(rpath);
+                                cfg.chrootdir = rpath;
                                 
                                 // check chroot directory structure
-                                if (fs_check_chroot_dir(cfg.chrootdir)) {
-                                        fprintf(stderr, "Error: invalid chroot\n");
-                                        exit(1);
-                                }
+                                fs_check_chroot_dir(cfg.chrootdir);
                         }
                         else
                                 exit_err_feature("chroot");
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index d2db7d3dd..e17f39caa 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -76,12 +76,12 @@ void preproc_mount_mnt_dir(void) {
                 fs_logger2("tmpfs", RUN_MNT_DIR);
                 
                 //copy defaultl seccomp files
-                copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644);
-                copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644);
+                copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644); // root needed
+                copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644); // root needed
                 if (arg_allow_debuggers)
-                        copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644);
+                        copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed
                 else
-                        copy_file(PATH_SECCOMP_DEFAULT, RUN_SECCOMP_CFG, getuid(), getgid(), 0644);
+                        copy_file(PATH_SECCOMP_DEFAULT, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed
                         
                 // as root, create an empty RUN_SECCOMP_PROTOCOL file
                 create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644);
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index fab4f1efa..33b6eab91 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1017,6 +1017,11 @@ void profile_read(const char *fname) {
         // open profile file:
         FILE *fp = fopen(fname, "r");
         if (fp == NULL) {
+                // if the file ends in ".local", do not exit
+                char *ptr = strstr(fname, ".local");
+                if (ptr && strlen(ptr) == 6)
+                        return;
+                
                 fprintf(stderr, "Error: cannot open profile file %s\n", fname);
                 exit(1);
         }
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index 14a7f03dd..4ec84ec61 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -22,6 +22,7 @@
 #include <sys/stat.h>
 #include <sys/mount.h>
 #include <dirent.h>
+#include <sys/wait.h>
 
 static void disable_file(const char *path, const char *file) {
         assert(file);
@@ -113,7 +114,7 @@ void pulseaudio_init(void) {
         char *pulsecfg = NULL;
         if (asprintf(&pulsecfg, "%s/client.conf", RUN_PULSE_DIR) == -1)
                 errExit("asprintf");
-        if (copy_file("/etc/pulse/client.conf", pulsecfg, -1, -1, 0644))
+        if (copy_file("/etc/pulse/client.conf", pulsecfg, -1, -1, 0644)) // root needed
                 errExit("copy_file");
         FILE *fp = fopen(pulsecfg, "a+");
         if (!fp)
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 5b94aa288..10000e912 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -28,6 +28,7 @@
 #include <grp.h>
 #include <sys/ioctl.h>
 #include <termios.h>
+#include <sys/wait.h>
 
 #define MAX_GROUPS 1024
 // drop privileges
@@ -218,6 +219,51 @@ int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, m
         return 0;
 }
 
+// return -1 if error, 0 if no error
+void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode) {
+        pid_t child = fork();
+        if (child < 0)
+                errExit("fork");
+        if (child == 0) {
+                // drop privileges
+                drop_privs(0);
+
+                // copy, set permissions and ownership
+                int rv = copy_file(srcname, destname, uid, gid, mode); // already a regular user
+                if (rv)
+                        fprintf(stderr, "Warning: cannot copy %s\n", srcname);
+#ifdef HAVE_GCOV
+                __gcov_flush();
+#endif
+                _exit(0);
+        }
+        // wait for the child to finish
+        waitpid(child, NULL, 0);
+}
+
+// return -1 if error, 0 if no error
+void touch_file_as_user(const char *fname, uid_t uid, gid_t gid, mode_t mode) {
+        pid_t child = fork();
+        if (child < 0)
+                errExit("fork");
+        if (child == 0) {
+                // drop privileges
+                drop_privs(0);
+
+                FILE *fp = fopen(fname, "w");
+                if (fp) {
+                        fprintf(fp, "\n");
+                        SET_PERMS_STREAM(fp, uid, gid, mode);
+                        fclose(fp);
+                }
+#ifdef HAVE_GCOV
+                __gcov_flush();
+#endif
+                _exit(0);
+        }
+        // wait for the child to finish
+        waitpid(child, NULL, 0);
+}
 
 // return 1 if the file is a directory
 int is_dir(const char *fname) {
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 91017237d..4e0b46fb8 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -653,11 +653,7 @@ void x11_xorg(void) {
         struct stat s;
         if (stat(dest, &s) == -1) {
                 // create an .Xauthority file
-                FILE *fp = fopen(dest, "w");
-                if (!fp)
-                        errExit("fopen");
-                SET_PERMS_STREAM(fp, getuid(), getgid(), 0600);
-                fclose(fp);
+                touch_file_as_user(dest, getuid(), getgid(), 0600);
         }
 
         // check xauth utility is present in the system
@@ -666,6 +662,10 @@ void x11_xorg(void) {
                 exit(1);
         }
 
+        // temporarily mount a tempfs on top of /tmp directory
+        if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=777,gid=0") < 0)
+                errExit("mounting /tmp");
+
         // create a temporary .Xauthority file
         char tmpfname[] = "/tmp/.tmpXauth-XXXXXX";
         int fd = mkstemp(tmpfname);
@@ -673,9 +673,9 @@ void x11_xorg(void) {
                 fprintf(stderr, "Error: cannot create .Xauthority file\n");
                 exit(1);
         }
-        close(fd);
-        if (chown(tmpfname, getuid(), getgid()) == -1)
+        if (fchown(fd, getuid(), getgid()) == -1)
                 errExit("chown");
+        close(fd);
 
         pid_t child = fork();
         if (child < 0)
@@ -713,7 +713,7 @@ void x11_xorg(void) {
         
         // move the temporary file in RUN_XAUTHORITY_SEC_FILE in order to have it deleted
         // automatically when the sandbox is closed
-        if (copy_file(tmpfname, RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600)) {
+        if (copy_file(tmpfname, RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600)) { // root needed
                 fprintf(stderr, "Error: cannot create the new .Xauthority file\n");
                 exit(1);
         }
@@ -730,5 +730,8 @@ void x11_xorg(void) {
         if (set_perms(dest, getuid(), getgid(), 0600))
                 errExit("set_perms");
         free(dest);
+        
+        // unmount /tmp
+        umount("/tmp");
 #endif  
 }
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index fa522c154..ecb8be139 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -86,6 +86,10 @@ file in user home directory.
 
 Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1" file.
 
+If the file is not found, and the file name does not end in ".local", the sandbox exist immediately
+with an error printed on stderr. ".local" files can be used to customize the global configuration
+in /etc/firejail directory. These files are not overwritten during software install.
+
 .TP
 \fBnoblacklist file_name
 If the file name matches file_name, the file will not be blacklisted in any blacklist commands that follow.
@@ -448,7 +452,7 @@ Assign MAC addresses to the last network interface defined by a net command.
 
 .TP
 \fBmachine-id
-Preserve id number in /etc/machine-id file. By default a new random id is generated inside the sandbox.
+Spoof id number in /etc/machine-id file - a new random id is generated inside the sandbox.
 
 .TP
 \fBmtu number
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 69d28c788..69ed2a8dc 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -678,7 +678,7 @@ $ firejail \-\-net=eth0 \-\-mac=00:11:22:33:44:55 firefox
 
 .TP
 \fB\-\-machine-id
-Preserve id number in /etc/machine-id file. By default a new random id is generated inside the sandbox.
+Spoof id number in /etc/machine-id file - a new random id is generated inside the sandbox.
 .br
 
 .br