diff --git a/README.md b/README.md
index 90b5c83..2344ce7 100644
--- a/README.md
+++ b/README.md
@@ -99,6 +99,9 @@ a target for ROP.
 * The vivid kernel module is blacklisted as it's only required for testing
 and has been the cause of multiple vulnerabilities.
 
+* The kernel panics on oopses to prevent it from continuing to run a flawed
+process and to deter brute forcing.
+
 Improve Entropy Collection
 
 * Load jitterentropy_rng kernel module.
diff --git a/changelog.upstream b/changelog.upstream
index f18bef7..31cfb29 100644
--- a/changelog.upstream
+++ b/changelog.upstream
@@ -1,3 +1,61 @@
+commit 660837dc380440f6b00d3baf9395222376163b3b
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Tue Jan 14 09:25:32 2020 -0500
+
+    fix case when user "user" does not exists
+
+commit 18c726c3eebc93f69062f1e4c1d3c7ab394985c3
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Tue Jan 14 09:23:02 2020 -0500
+
+    comment
+
+commit b8652681e741236af2e20876d7103b2dfb0ae9bf
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Tue Jan 14 09:21:47 2020 -0500
+
+    fix legacy
+
+commit cc21f912a372faef8322801e9a48882f29159c2d
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Tue Jan 14 09:20:36 2020 -0500
+
+    bumped changelog version
+
+commit 2078cd237f2aaad8d68c1c5eab3f9942460ecd3c
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Tue Jan 14 09:18:30 2020 -0500
+
+    readme
+
+commit c377c5ff83437a5447ecc9c873150421f4f1e691
+Merge: 8341242 539f24b
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Tue Jan 14 09:01:38 2020 -0500
+
+    Merge remote-tracking branch 'origin/master'
+
+commit 539f24b65ee7739487d8038fcb1fdfb1ed62ab22
+Merge: 8341242 0953bbe
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Tue Jan 14 14:01:17 2020 +0000
+
+    Merge pull request #54 from madaidan/panic_on_oops
+    
+    Document panic_on_oops
+
+commit 0953bbe1d7f3e789aef2218a65c14c586dab4bcb
+Author: madaidan <50278627+madaidan@users.noreply.github.com>
+Date:   Mon Jan 13 21:05:35 2020 +0000
+
+    Update control
+
+commit 8341242abc342d9cbd82afe12f512daf73a9e59a
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Sat Jan 11 15:19:29 2020 -0500
+
+    bumped changelog version
+
 commit 130a4cf6d433f4d862e10e31abbc2b1f3b1614d2
 Author: Patrick Schleizer <adrelanos@riseup.net>
 Date:   Sat Jan 11 15:17:06 2020 -0500
diff --git a/debian/changelog b/debian/changelog
index 3e3c03b..36cc82f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+security-misc (3:14.5-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@riseup.net>  Tue, 14 Jan 2020 14:28:28 +0000
+
+security-misc (3:14.4-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@riseup.net>  Tue, 14 Jan 2020 14:20:36 +0000
+
 security-misc (3:14.3-1) unstable; urgency=medium
 
   * New upstream version (local package).
diff --git a/debian/control b/debian/control
index a674a35..516f2fa 100644
--- a/debian/control
+++ b/debian/control
@@ -119,6 +119,9 @@ Description: enhances misc security settings
  .
   * An initramfs hook sets the sysctl values in /etc/sysctl.d before init
  is executed so our hardening is enabled as early as possible.
+ .
+  * The kernel panics on oopses to prevent it from continuing to run a flawed
+ process and to deter brute forcing.
  .
  Improve Entropy Collection
  .
diff --git a/debian/security-misc.preinst b/debian/security-misc.preinst
index 0c00452..0f77ca4 100644
--- a/debian/security-misc.preinst
+++ b/debian/security-misc.preinst
@@ -102,7 +102,7 @@ console_users_check() {
    fi
 
    console_users="$(getent group console | cut -d: -f4)"
-   ## example ssh_users:
+   ## example console_users:
    ## user
    console_unrestricted_users="$(getent group console-unrestricted | cut -d: -f4)"
 
@@ -150,7 +150,7 @@ legacy() {
       continue_yes=true
    fi
 
-   if [ "$continue_yes" = "yes" ]; then
+   if [ ! "$continue_yes" = "yes" ]; then
       return 0
    fi
 
@@ -165,6 +165,11 @@ legacy() {
 
    user_to_be_created=user
 
+   if ! id "$user_to_be_created" &>/dev/null ; then
+      true "INFO: user '$user_to_be_created' does not exist. Skipping addgroup console and pam-auth-update."
+      return 0
+   fi
+
    addgroup "$user_to_be_created" console
 
    pam-auth-update --enable console-lockdown-security-misc
diff --git a/etc/sudoers.d/pkexec-security-misc b/etc/sudoers.d/pkexec-security-misc
new file mode 100644
index 0000000..1572b03
--- /dev/null
+++ b/etc/sudoers.d/pkexec-security-misc
@@ -0,0 +1,11 @@
+## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+## REVIEW: is it ok that users can find out the PATH setting of root?
+%sudo ALL=NOPASSWD: /usr/lib/security-misc/echo-path
+
+## xfpm-power-backlight-helper demands environment variable PKEXEC_UID to be
+## set. Would otherwise error out with the following error message:
+## "This program must only be run through pkexec"
+## REVIEW: Can bad things be done by spoofing PKEXEC_UID?
+Defaults:ALL env_keep += "PKEXEC_UID"
diff --git a/etc/sudoers.d/security-misc b/etc/sudoers.d/security-misc
index a3a7114..3f98634 100644
--- a/etc/sudoers.d/security-misc
+++ b/etc/sudoers.d/security-misc
@@ -3,5 +3,3 @@
 
 user ALL=NOPASSWD: /usr/lib/security-misc/panic-on-oops
 %sudo ALL=NOPASSWD: /usr/lib/security-misc/panic-on-oops
-
-%sudo ALL=NOPASSWD: /usr/lib/security-misc/echo-path
diff --git a/etc/sudoers.d/xfce-security-misc b/etc/sudoers.d/xfce-security-misc
new file mode 100644
index 0000000..8e75102
--- /dev/null
+++ b/etc/sudoers.d/xfce-security-misc
@@ -0,0 +1,19 @@
+## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+## https://forums.whonix.org/t/xfce4-power-manager-xfpm-power-backlight-helper-pkexec-lxsudo-popup/8764
+## /usr/share/polkit-1/actions/org.xfce.power.policy
+
+## Feel free to out comment this if you are not using xfce4-power-manager or XFCE.
+
+%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]]
+%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]][[\:digit\:]]
+%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]][[\:digit\:]][[\:digit\:]]
+
+%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]]
+%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]][[\:digit\:]]
+%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]][[\:digit\:]][[\:digit\:]]
+
+## XXX: Should we allow this?
+#%sudo ALL=NOPASSWD: /usr/sbin/xfce4-pm-helper --suspend
+#%sudo ALL=NOPASSWD: /usr/sbin/xfce4-pm-helper --hibernate
diff --git a/usr/bin/pkexec.security-misc b/usr/bin/pkexec.security-misc
index b6e3f91..8a844fc 100755
--- a/usr/bin/pkexec.security-misc
+++ b/usr/bin/pkexec.security-misc
@@ -10,14 +10,26 @@
 
 set -e
 
+my_real_path="$(realpath "$0")" || true
+identifier="$my_real_path wrapper"
+exec > >(systemd-cat --identifier="$identifier output by program:") 2>&1
+
+log_to_journal() {
+   echo "$@" | systemd-cat --identifier="$identifier output by wrapper:" || true
+}
+
+log_to_journal "$0 $@"
+log_to_journal "DISPLAY: '$DISPLAY'"
+my_pstree="$(pstree -p $$)" || true
+log_to_journal "my_pstree: '$my_pstree'"
+
 ## If hidepid is not in use, just use pkexec normally.
 if ! mount | grep "/proc" | grep "hidepid=2" &>/dev/null ; then
    pkexec.security-misc-orig "$@"
    exit $?
 fi
 
-## Prefer lxqt-sudo.
-use_sudo=false
+switch_user=false
 
 original_args="$@"
 
@@ -55,7 +67,8 @@ do
             else
                shift 2
             fi
-            use_sudo=true
+            switch_user=true
+            maybe_switch_to_user="--user $user_pkexec_wrapper"
             ;;
          --)
             shift
@@ -70,20 +83,49 @@ done
 ## If there are input files (for example) that follow the options, they
 ## will remain in the "$@" positional parameters.
 
+if [ "$PKEXEC_UID" = "" ]; then
+   if [ ! "$user_pkexec_wrapper" = "" ]; then
+      PKEXEC_UID="$user_pkexec_wrapper"
+   elif [ ! "$SUDO_USER" = "" ]; then
+      PKEXEC_UID="$SUDO_USER"
+   else
+      PKEXEC_UID="$(whoami)"
+   fi
+fi
+export PKEXEC_UID
+
 if [[ "$@" = "" ]]; then
    ## Call original pkexec in case there are no arguments.
    pkexec.security-misc-orig $original_args
    exit $?
 fi
 
-## set PATH same as root
-## This is required for gdebi.
-## REVIEW: is it ok that users can find out the PATH setting of root?
-PATH="$(sudo --non-interactive /usr/lib/security-misc/echo-path)"
-export PATH
+exit_code=0
 
-if [ "$use_sudo" = "true" ]; then
-   lxqt-sudo sudo --user "$user_pkexec_wrapper" --set-home "$@"
-else
-   lxqt-sudo "$@"
+## lxqt-sudo does not check /etc/sudoers / /etc/sudoers.d exceptions.
+## Therefore use 'sudo -l' to see if there is any already existing sudoers exception.
+if sudo -l --non-interactive $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" ; then
+   log_to_journal "sudoers exception: yes"
+   sudo --non-interactive $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" || { exit_code=$? ; true; };
+   log_to_journal "sudo --user | exit_code: '$exit_code'"
+   exit "$exit_code"
 fi
+
+log_to_journal "sudoers exception: no"
+
+if [ "$switch_user" = "true" ]; then
+   ## 'sudo --user user' clears environment variables such as PATH.
+   lxqt-sudo sudo $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" || { exit_code=$? ; true; };
+else
+   ## set PATH same as root
+   ## This is required for gdebi.
+   ## REVIEW: is it ok that users can find out the PATH setting of root?
+   ## lxqt-sudo does not clear environment variable PATH.
+   PATH="$(sudo --non-interactive /usr/lib/security-misc/echo-path)"
+   export PATH
+   lxqt-sudo "$@" || { exit_code=$? ; true; };
+fi
+
+log_to_journal "exit_code: '$exit_code'"
+
+exit "$exit_code"