Setup everything in root, realize this is bad now but can I just create a non root user and use that or?

Sorry if the phrasing in the title is confusing, it’s worded the best way I could given my limited knowledge of running a server. I’ve setup my server and added a few small websites to learn more about servers. I did everything under the root username and everything works fine. It’s my understanding that I should be using a non root user, and there are many great guides on here for setting that up. My question is after following one of those, would any processes or things be running in root that should not be running in root? I’m essentially only running fail2ban, nginx and the firewall just blocking all ports except what is required.

If all is fine, I’ll just go follow one of the tutorials to setup a sudo user and add SSH keys to that account (different from root user would be best practice I’m guessing) and follow whatever other recommendations are suggested in the official guide for this distro.

I’m just wondering if there is a security or other best practice downside to having done everything starting out in root, or if it’s fine and I should consider myself lucky I didn’t accidentally delete the server or mess something up badly etc! Obviously in the future, I’ll pay more attention to best practices when setting up the server.

Oh and just a quick edit. I’m only hosting fully static websites with HTML/JS/CSS so no php/databases are installed and will never be on this droplet.

Thanks in advance for the guidance!

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Accepted Answer

Absolutely. One of the main reasons you wouldn’t want to run anything as the root user is if your system is compromised (via one of said applications), the attacker basically has complete access to your machine. No sudo access= decreased potential of catastrophic damage.

You may also want to disable password based authentication on your system as a whole and strictly use key files for authentication. Check out as this tutorial covers how to install NGINX and also has a link out to our tutorial on creating user accounts.

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more
DigitalOcean Cloud Control Panel