diff --git a/src/firecfg/Makefile.in b/src/firecfg/Makefile.in
index b6dbb039da7..e860643dfcd 100644
--- a/src/firecfg/Makefile.in
+++ b/src/firecfg/Makefile.in
@@ -2,11 +2,11 @@ all: firecfg
 
 include ../common.mk
 
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/firejail_user.h ../include/pid.h
 	$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 
-firecfg: $(OBJS) ../lib/common.o
-	$(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
+firecfg: $(OBJS) ../lib/common.o ../lib/firejail_user.o
+	$(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/firejail_user.o $(LIBS) $(EXTRA_LDFLAGS)
 
 clean:; rm -f *.o firecfg *.gcov *.gcda *.gcno
 
diff --git a/src/firecfg/main.c b/src/firecfg/main.c
index e636dc385b2..a54607aece7 100644
--- a/src/firecfg/main.c
+++ b/src/firecfg/main.c
@@ -19,6 +19,7 @@
 */
 
 #include "firecfg.h"
+#include "../include/firejail_user.h"
 int arg_debug = 0;
 
 static char *usage_str =
@@ -29,6 +30,7 @@ static char *usage_str =
 	"The symbolic links are placed in /usr/local/bin. For more information, see\n"
 	"DESKTOP INTEGRATION section in man 1 firejail.\n\n"
 	"Usage: firecfg [OPTIONS]\n\n"
+	"   --add-users user [user] - add the users to Firejail access database\n"
 	"   --clean - remove all firejail symbolic links.\n\n"
 	"   --debug - print debug messages.\n\n"
 	"   --fix - fix .desktop files.\n\n"
@@ -315,6 +317,19 @@ int main(int argc, char **argv) {
 			sound();
 			return 0;
 		}
+		else if (strcmp(argv[i], "--add-users") == 0) {
+			int j;
+			if (getuid() != 0) {
+				fprintf(stderr, "Error: you need to be root to use this option\n");
+				exit(1);
+			}
+
+			for (j = i + 1; j < argc; j++) {
+				printf("Adding user %s to Firejail access database in %s/firejail.users\n", argv[j], SYSCONFDIR);
+				firejail_user_add(argv[j]);
+			}
+			return 0;
+		}
 		else {
 			fprintf(stderr, "Error: invalid command line option\n");
 			usage();
@@ -353,7 +368,7 @@ int main(int argc, char **argv) {
 
 
 
-	// switch to the local user, and fix desktop files
+	// user setup
 	char *user = getlogin();
 	if (!user) {
 		user = getenv("SUDO_USER");
@@ -362,6 +377,13 @@ int main(int argc, char **argv) {
 		}
 	}
 
+	// add user to firejail access database
+	if (user) {
+		printf("\nAdding user %s to Firejail access database in %s/firejail.users\n", user, SYSCONFDIR);
+		firejail_user_add(user);
+	}
+
+	// switch to the local user, and fix desktop files
 	if (user) {
 		// find home directory
 		struct passwd *pw = getpwnam(user);
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
index 9bd2f9c2268..48d985d73ec 100644
--- a/src/firejail/Makefile.in
+++ b/src/firejail/Makefile.in
@@ -2,11 +2,11 @@ all: firejail
 
 include ../common.mk
 
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h ../include/firejail_user.h
 	$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 
-firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o
-	$(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS)
+firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o
+	$(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o $(LIBS) $(EXTRA_LDFLAGS)
 
 clean:; rm -f *.o firejail *.gcov *.gcda *.gcno
 
diff --git a/src/firejail/main.c b/src/firejail/main.c
index f34d2eb797b..e676bbd7c95 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -19,6 +19,7 @@
  */
 #include "firejail.h"
 #include "../include/pid.h"
+#include "../include/firejail_user.h"
 #define _GNU_SOURCE
 #include <sys/utsname.h>
 #include <sched.h>
@@ -229,6 +230,15 @@ static void init_cfg(int argc, char **argv) {
 	}
 	cfg.cwd = getcwd(NULL, 0);
 
+	// chack user database
+	if (!firejail_user_check(cfg.username)) {
+		fprintf(stderr, "Error: the user is not allowed to use Firejail. "
+			"Please add the user in %s/firejail.users file, "
+			"either by running \"sudo firecfg\", or by editing the file directly."
+			"See \"man firejail-users\" for more details.\n", SYSCONFDIR);
+		exit(1);
+	}
+
 	// initialize random number generator
 	sandbox_pid = getpid();
 	time_t t = time(NULL);
@@ -830,7 +840,6 @@ int main(int argc, char **argv) {
 	int lockfd_directory = -1;
 	int option_cgroup = 0;
 	int custom_profile = 0;	// custom profile loaded
-	atexit(clear_atexit);
 
 	// drop permissions by default and rise them when required
 	EUID_INIT();
@@ -844,9 +853,11 @@ int main(int argc, char **argv) {
 	if (check_arg(argc, argv, "--quiet", 1))
 		arg_quiet = 1;
 
+	// cleanup at exit
+	EUID_ROOT();
+	atexit(clear_atexit);
 
 	// build /run/firejail directory structure
-	EUID_ROOT();
 	preproc_build_firejail_dir();
 	char *container_name = getenv("container");
 	if (!container_name || strcmp(container_name, "firejail")) {
diff --git a/src/include/firejail_user.h b/src/include/firejail_user.h
new file mode 100644
index 00000000000..a7d30225ef9
--- /dev/null
+++ b/src/include/firejail_user.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 2014-2018 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#ifndef FIREJAIL_USER_H
+#define FIREJAIL_USER_H
+
+
+// returns 1 if the user is found in the database or if the database was not created
+int firejail_user_check(const char *name);
+
+// add a user to the database
+void firejail_user_add(const char *name);
+
+#endif
diff --git a/src/lib/firejail_user.c b/src/lib/firejail_user.c
new file mode 100644
index 00000000000..5d92aa1332f
--- /dev/null
+++ b/src/lib/firejail_user.c
@@ -0,0 +1,115 @@
+/*
+ * Copyright (C) 2014-2018 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+//
+// Firejail access database inplementation
+//
+// The database is a simple list of users allowed to run firejail SUID executable
+// It is usually stored in /etc/firejail/firejail.users
+// One username per line in the file
+
+#include "../include/common.h"
+#include <sys/types.h>
+#include <pwd.h>
+
+#define MAXBUF 4098
+static inline char *get_fname(void) {
+	char *fname;
+	if (asprintf(&fname, "%s/firejail.users", SYSCONFDIR) == -1)
+		errExit("asprintf");
+	return fname;
+}
+
+// returns 1 if the user is found in the database or if the database was not created
+int firejail_user_check(const char *name) {
+	assert(name);
+
+	// root allowed by default
+	if (strcmp(name, "root") == 0)
+		return 1;
+
+	// check file existence
+	char *fname = get_fname();
+	if (access(fname, F_OK)) {
+		free(fname);
+		return 1;	// assume the user doesn't care about access checking
+	}
+
+	FILE *fp = fopen(fname, "r");
+	free(fname);
+	if (!fp)
+		return 0;
+
+	char buf[MAXBUF];
+	while (fgets(buf, MAXBUF, fp)) {
+		// lines starting with # are comments
+		if (*buf == '#')
+			continue;
+
+		// remove \n
+		char *ptr = strchr(buf, '\n');
+		if (ptr)
+			*ptr = '\0';
+
+		// compare
+		if (strcmp(buf, name) == 0) {
+			fclose(fp);
+			return 1;
+		}
+	}
+
+	fclose(fp);
+	return 0;
+}
+
+// add a user to the database
+void firejail_user_add(const char *name) {
+	assert(name);
+
+	// is this a real user?
+	struct passwd *pw = getpwnam(name);
+	if (!pw) {
+		fprintf(stderr, "Error: user %s not found on this system.\n", name);
+		return;
+	}
+
+	// check the user is not already in the database
+	char *fname = get_fname();
+	assert(fname);
+	if (access(fname, F_OK) == 0) {
+		if (firejail_user_check(name)) {
+			printf("User %s already in the database\n", name);
+			return;
+		}
+	}
+
+	printf("%s created\n", fname);
+	FILE *fp = fopen(fname, "a+");
+	if (!fp) {
+		fprintf(stderr, "Error: cannot open %s\n", fname);
+		perror("fopen");
+		free(fname);
+		return;
+	}
+	free(fname);
+
+	fprintf(fp, "%s\n", name);
+	fclose(fp);
+}