diff --git a/daemon/bindings.c b/daemon/bindings.c
index 5ed40a3c43f09e0acf8660235d993856398cc89b..cbb181837053f11d9240d3caa644fb626ae9a158 100644
--- a/daemon/bindings.c
+++ b/daemon/bindings.c
@@ -20,14 +20,14 @@
 #include "daemon/bindings.h"
 
 /** @internal Compatibility wrapper for Lua 5.0 - 5.2 */
-#if LUA_VERSION_NUM < 502
+#if LUA_VERSION_NUM >= 502
+#define register_lib(L, name, lib) \
+	luaL_newlib((L), (lib))
+#else
 #define lua_rawlen(L, obj) \
 	lua_objlen((L), (obj))
 #define register_lib(L, name, lib) \
 	luaL_openlib((L), (name), (lib), 0)
-#else
-#define register_lib(L, name, lib) \
-	luaL_newlib((L), (lib))
 #endif
 
 /** List loaded modules */
diff --git a/daemon/daemon.mk b/daemon/daemon.mk
index 918738d55713c17b63d8db57aee3e45edb12a894..677d23d1575abeb54f522168f22c593fa4a1d0b5 100644
--- a/daemon/daemon.mk
+++ b/daemon/daemon.mk
@@ -8,10 +8,9 @@ kresolved_SOURCES := \
 	daemon/main.c
 
 # Embed resources
-daemon/engine.o: daemon/lua/init.inc daemon/lua/config.inc
+daemon/engine.o: daemon/lua/sandbox.inc daemon/lua/config.inc
 %.inc: %.lua
-	@$(call quiet,XXD,$<) -i < $< > $@
-	@echo ', 0x00' >> $@
+	@$(call quiet,XXD,$<) -i - < $< > $@
 
 # Dependencies
 kresolved_DEPEND := $(libkresolve)
diff --git a/daemon/engine.c b/daemon/engine.c
index 8d33a4d2f77c4c7b2dad3acda7ec3446e54e0424..4011407908784c4aec85d90a4d620f558591f6d9 100644
--- a/daemon/engine.c
+++ b/daemon/engine.c
@@ -165,6 +165,16 @@ void engine_deinit(struct engine *engine)
 	kr_cache_close(engine->resolver.cache);
 }
 
+/** Execute current chunk in the sandbox */
+static int l_sandboxcall(lua_State *L)
+{
+#if LUA_VERSION_NUM >= 502
+	lua_getglobal(L, "_SANDBOX");
+	lua_setupvalue(L, -2, 1);
+#endif
+	return lua_pcall(L, 0, LUA_MULTRET, 0);
+}
+
 int engine_cmd(struct engine *engine, const char *str)
 {
 	if (engine == NULL || engine->L == NULL) {
@@ -172,7 +182,10 @@ int engine_cmd(struct engine *engine, const char *str)
 	}
 
 	/* Evaluate results */
-	int ret = luaL_dostring(engine->L, str);
+	int ret = luaL_loadstring(engine->L, str);
+	if (ret == 0) {
+		ret = l_sandboxcall(engine->L);
+	}
 
 	/* Print results. */
 	int nres = lua_gettop(engine->L);
@@ -192,13 +205,20 @@ int engine_cmd(struct engine *engine, const char *str)
 	return kr_ok();
 }
 
+/* Execute byte code */
+#define l_dobytecode(L, arr, len, name) \
+	(luaL_loadbuffer((L), (arr), (len), (name)) || lua_pcall((L), 0, LUA_MULTRET, 0))
+/** Load file in a sandbox environment. */
+#define l_dosandboxfile(L, filename) \
+	(luaL_loadfile((L), (filename)) || l_sandboxcall((L)))
+
 static int engine_loadconf(struct engine *engine)
 {
 	/* Init environment */
-	static const char l_init[] = {
-		#include "daemon/lua/init.inc"
+	static const char sandbox_bytecode[] = {
+		#include "daemon/lua/sandbox.inc"
 	};
-	if (luaL_dostring(engine->L, l_init) != 0) {
+	if (l_dobytecode(engine->L, sandbox_bytecode, sizeof(sandbox_bytecode), "init") != 0) {
 		fprintf(stderr, "[system] error %s\n", lua_tostring(engine->L, -1));
 		lua_pop(engine->L, 1);
 		return kr_error(ENOEXEC);
@@ -207,13 +227,13 @@ static int engine_loadconf(struct engine *engine)
 	/* Load config file */
 	int ret = 0;
 	if(access("config", F_OK ) != -1 ) {
-		ret = luaL_dofile(engine->L, "config");
+		ret = l_dosandboxfile(engine->L, "config");
 	} else {
 		/* Load defaults */
-		static const char config_init[] = {
+		static const char config_bytecode[] = {
 			#include "daemon/lua/config.inc"
 		};
-		ret = luaL_dostring(engine->L, config_init);
+		ret = l_dobytecode(engine->L, config_bytecode, sizeof(config_bytecode), "config");
 	}
 
 	/* Evaluate */
@@ -301,11 +321,11 @@ int engine_unregister(struct engine *engine, const char *name)
 void engine_lualib(struct engine *engine, const char *name, lua_CFunction lib_cb)
 {
 	if (engine != NULL) {
-#if LUA_VERSION_NUM < 502
-		lib_cb(engine->L);
-#else
+#if LUA_VERSION_NUM >= 502
 		luaL_requiref(engine->L, name, lib_cb, 1);
 		lua_pop(engine->L, 1);
+#else
+		lib_cb(engine->L);
 #endif
 	}
 }
diff --git a/daemon/lua/init.lua b/daemon/lua/sandbox.lua
similarity index 65%
rename from daemon/lua/init.lua
rename to daemon/lua/sandbox.lua
index 8792674366b7a6424c49a8c5a64fe2e4ac80645e..6249f489a94fd457d2aa6c3fa2bffec5d2ae265e 100644
--- a/daemon/lua/init.lua
+++ b/daemon/lua/sandbox.lua
@@ -12,9 +12,9 @@ setmetatable(modules, {
 	end
 })
 
--- Some services are append-only
-function protect(defined)
-	local __protected = { ['modules'] = true }
+-- Make sandboxed environment
+function make_sandbox(defined)
+	local __protected = { modules = true, cache = true, net = true }
 	return setmetatable({}, {
 		__index = defined,
 		__newindex = function (t, k, v)
@@ -28,5 +28,10 @@ function protect(defined)
 		end
 	})
 end
--- _G = protect(getfenv(0))
--- setfenv(0, _G)
+
+if setfenv then -- Lua 5.1 and less
+	_G = make_sandbox(getfenv(0))
+	setfenv(0, _G)
+else -- Lua 5.2+
+	_SANDBOX = make_sandbox(_ENV)
+end