diff --git a/README.md b/README.md
index 5fb22248..27cfbcaf 100644
--- a/README.md
+++ b/README.md
@@ -35,12 +35,6 @@ Please see our [installation guide](http://readme.drone.io/setup/overview) to in
 
 ### From Source
 
-Install build dependencies:
-
-* go 1.5+ ([install guide](http://golang.org/doc/install))
-* libsqlite3 ([install script](https://github.com/drone/drone/blob/master/contrib/setup-sqlite.sh))
-* sassc ([install script](https://github.com/drone/drone/blob/master/contrib/setup-sassc.sh))
-
 Clone the repository to your Go workspace:
 
 ```
diff --git a/client/client_impl.go b/client/client_impl.go
index ac6b4251..b421b2a4 100644
--- a/client/client_impl.go
+++ b/client/client_impl.go
@@ -76,7 +76,10 @@ func NewClientTokenTLS(uri, token string, c *tls.Config) Client {
 	auther := config.Client(oauth2.NoContext, &oauth2.Token{AccessToken: token})
 	if c != nil {
 		if trans, ok := auther.Transport.(*oauth2.Transport); ok {
-			trans.Base = &http.Transport{TLSClientConfig: c}
+			trans.Base = &http.Transport{
+				TLSClientConfig: c,
+				Proxy: http.ProxyFromEnvironment,
+			}
 		}
 	}
 	return &client{client: auther, base: uri, token: token}
diff --git a/drone/agent/agent.go b/drone/agent/agent.go
index f8d0d213..b2cbe80b 100644
--- a/drone/agent/agent.go
+++ b/drone/agent/agent.go
@@ -1,7 +1,10 @@
 package agent
 
 import (
+	"os"
+	"os/signal"
 	"sync"
+	"syscall"
 	"time"
 
 	"github.com/drone/drone/client"
@@ -201,5 +204,25 @@ func start(c *cli.Context) {
 			}
 		}()
 	}
+	handleSignals()
 	wg.Wait()
 }
+
+// tracks running builds
+var running sync.WaitGroup
+
+func handleSignals() {
+	// Graceful shut-down on SIGINT/SIGTERM
+	c := make(chan os.Signal, 1)
+	signal.Notify(c, os.Interrupt)
+	signal.Notify(c, syscall.SIGTERM)
+
+	go func() {
+		<-c
+		logrus.Debugln("SIGTERM received.")
+		logrus.Debugln("wait for running builds to finish.")
+		running.Wait()
+		logrus.Debugln("done.")
+		os.Exit(0)
+	}()
+}
diff --git a/drone/agent/exec.go b/drone/agent/exec.go
index fdd5c9fb..bd538114 100644
--- a/drone/agent/exec.go
+++ b/drone/agent/exec.go
@@ -33,6 +33,10 @@ func (r *pipeline) run() error {
 	if err != nil {
 		return err
 	}
+	running.Add(1)
+	defer func() {
+		running.Done()
+	}()
 
 	logrus.Infof("Starting build %s/%s#%d.%d",
 		w.Repo.Owner, w.Repo.Name, w.Build.Number, w.Job.Number)
diff --git a/drone/server.go b/drone/server.go
index a1b9fb06..f94c6afa 100644
--- a/drone/server.go
+++ b/drone/server.go
@@ -110,7 +110,7 @@ var serverCmd = cli.Command{
 		},
 		cli.StringFlag{
 			EnvVar: "DRONE_GITHUB_SECRET",
-			Name:   "github-sercret",
+			Name:   "github-secret",
 			Usage:  "github oauth2 client secret",
 		},
 		cli.StringSliceFlag{
@@ -203,7 +203,7 @@ var serverCmd = cli.Command{
 		},
 		cli.StringFlag{
 			EnvVar: "DRONE_GITLAB_SECRET",
-			Name:   "gitlab-sercret",
+			Name:   "gitlab-secret",
 			Usage:  "gitlab oauth2 client secret",
 		},
 		cli.StringFlag{
diff --git a/router/middleware/remote.go b/router/middleware/remote.go
index b0afc66e..7d0d56f7 100644
--- a/router/middleware/remote.go
+++ b/router/middleware/remote.go
@@ -80,7 +80,7 @@ func setupGitlab(c *cli.Context) (remote.Remote, error) {
 	return gitlab.New(gitlab.Opts{
 		URL:         c.String("gitlab-server"),
 		Client:      c.String("gitlab-client"),
-		Secret:      c.String("gitlab-sercret"),
+		Secret:      c.String("gitlab-secret"),
 		Username:    c.String("gitlab-git-username"),
 		Password:    c.String("gitlab-git-password"),
 		PrivateMode: c.Bool("gitlab-private-mode"),
@@ -94,7 +94,7 @@ func setupGithub(c *cli.Context) (remote.Remote, error) {
 		URL:         c.String("github-server"),
 		Context:     c.String("github-context"),
 		Client:      c.String("github-client"),
-		Secret:      c.String("github-sercret"),
+		Secret:      c.String("github-secret"),
 		Scopes:      c.StringSlice("github-scope"),
 		Username:    c.String("github-git-username"),
 		Password:    c.String("github-git-password"),
diff --git a/router/middleware/session/user.go b/router/middleware/session/user.go
index 78f0a16b..c1c0e09b 100644
--- a/router/middleware/session/user.go
+++ b/router/middleware/session/user.go
@@ -85,6 +85,23 @@ func MustAdmin() gin.HandlerFunc {
 	}
 }
 
+func MustRepoAdmin() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		user := User(c)
+		perm := Perm(c)
+		switch {
+		case user == nil:
+			c.String(401, "User not authorized")
+			c.Abort()
+		case perm.Admin == false:
+			c.String(403, "User not authorized")
+			c.Abort()
+		default:
+			c.Next()
+		}
+	}
+}
+
 func MustUser() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		user := User(c)
diff --git a/router/router.go b/router/router.go
index 8dd1a360..446b4d64 100644
--- a/router/router.go
+++ b/router/router.go
@@ -84,8 +84,8 @@ func Load(middleware ...gin.HandlerFunc) http.Handler {
 
 			// requires push permissions
 			repo.PATCH("", session.MustPush, server.PatchRepo)
-			repo.DELETE("", session.MustPush, server.DeleteRepo)
-			repo.POST("/chown", session.MustPush, server.ChownRepo)
+			repo.DELETE("", session.MustRepoAdmin(), server.DeleteRepo)
+			repo.POST("/chown", session.MustRepoAdmin(), server.ChownRepo)
 
 			repo.POST("/builds/:number", session.MustPush, server.PostBuild)
 			repo.DELETE("/builds/:number/:job", session.MustPush, server.DeleteBuild)
diff --git a/yaml/transform/command.go b/yaml/transform/command.go
index fc9ce020..cf4892f0 100644
--- a/yaml/transform/command.go
+++ b/yaml/transform/command.go
@@ -65,6 +65,7 @@ machine $DRONE_NETRC_MACHINE
 login $DRONE_NETRC_USERNAME
 password $DRONE_NETRC_PASSWORD
 EOF
+chmod 0600 $HOME/.netrc
 fi
 
 unset DRONE_NETRC_USERNAME
diff --git a/yaml/transform/image.go b/yaml/transform/image.go
index 5caff74f..a13a983c 100644
--- a/yaml/transform/image.go
+++ b/yaml/transform/image.go
@@ -1,6 +1,7 @@
 package transform
 
 import (
+	"fmt"
 	"path/filepath"
 	"strings"
 
@@ -61,6 +62,9 @@ func ImageEscalate(conf *yaml.Config, patterns []string) error {
 	for _, c := range conf.Pipeline {
 		for _, pattern := range patterns {
 			if ok, _ := filepath.Match(pattern, c.Image); ok {
+				if len(c.Commands) != 0 {
+					return fmt.Errorf("Custom commands disabled for the %s plugin", c.Image)
+				}
 				c.Privileged = true
 			}
 		}
diff --git a/yaml/transform/image_test.go b/yaml/transform/image_test.go
index 67ff8dd0..d5abbd6d 100644
--- a/yaml/transform/image_test.go
+++ b/yaml/transform/image_test.go
@@ -89,6 +89,17 @@ func Test_escalate(t *testing.T) {
 			ImageEscalate(c, []string{"plugins/docker"})
 			g.Assert(c.Pipeline[0].Privileged).IsFalse()
 		})
+
+		g.It("should not escalate plugin with commands", func() {
+			c := newConfig(&yaml.Container{
+				Image:    "docker",
+				Commands: []string{"echo foo"},
+			})
+
+			err := ImageEscalate(c, []string{"docker"})
+			g.Assert(c.Pipeline[0].Privileged).IsFalse()
+			g.Assert(err.Error()).Equal("Custom commands disabled for the docker plugin")
+		})
 	})
 }