Question

Setup everything in root, realize this is bad now but can I just create a non root user and use that or?

Sorry if the phrasing in the title is confusing, it’s worded the best way I could given my limited knowledge of running a server. I’ve setup my server and added a few small websites to learn more about servers. I did everything under the root username and everything works fine. It’s my understanding that I should be using a non root user, and there are many great guides on here for setting that up. My question is after following one of those, would any processes or things be running in root that should not be running in root? I’m essentially only running fail2ban, nginx and the firewall just blocking all ports except what is required.

If all is fine, I’ll just go follow one of the tutorials to setup a sudo user and add SSH keys to that account (different from root user would be best practice I’m guessing) and follow whatever other recommendations are suggested in the official guide for this distro.

I’m just wondering if there is a security or other best practice downside to having done everything starting out in root, or if it’s fine and I should consider myself lucky I didn’t accidentally delete the server or mess something up badly etc! Obviously in the future, I’ll pay more attention to best practices when setting up the server.

Oh and just a quick edit. I’m only hosting fully static websites with HTML/JS/CSS so no php/databases are installed and will never be on this droplet.

Thanks in advance for the guidance!

Subscribe
Share

Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Accepted Answer

Absolutely. One of the main reasons you wouldn’t want to run anything as the root user is if your system is compromised (via one of said applications), the attacker basically has complete access to your machine. No sudo access= decreased potential of catastrophic damage.

You may also want to disable password based authentication on your system as a whole and strictly use key files for authentication. Check out https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-ubuntu-16-04 as this tutorial covers how to install NGINX and also has a link out to our tutorial on creating user accounts.