Setup everything in root, realize this is bad now but can I just create a non root user and use that or?

Posted March 17, 2018 1.1k views
NginxUbuntu 16.04

Sorry if the phrasing in the title is confusing, it’s worded the best way I could given my limited knowledge of running a server. I’ve setup my server and added a few small websites to learn more about servers. I did everything under the root username and everything works fine. It’s my understanding that I should be using a non root user, and there are many great guides on here for setting that up. My question is after following one of those, would any processes or things be running in root that should not be running in root? I’m essentially only running fail2ban, nginx and the firewall just blocking all ports except what is required.

If all is fine, I’ll just go follow one of the tutorials to setup a sudo user and add SSH keys to that account (different from root user would be best practice I’m guessing) and follow whatever other recommendations are suggested in the official guide for this distro.

I’m just wondering if there is a security or other best practice downside to having done everything starting out in root, or if it’s fine and I should consider myself lucky I didn’t accidentally delete the server or mess something up badly etc! Obviously in the future, I’ll pay more attention to best practices when setting up the server.

Oh and just a quick edit. I’m only hosting fully static websites with HTML/JS/CSS so no php/databases are installed and will never be on this droplet.

Thanks in advance for the guidance!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
1 answer

Absolutely. One of the main reasons you wouldn’t want to run anything as the root user is if your system is compromised (via one of said applications), the attacker basically has complete access to your machine. No sudo access= decreased potential of catastrophic damage.

You may also want to disable password based authentication on your system as a whole and strictly use key files for authentication. Check out as this tutorial covers how to install NGINX and also has a link out to our tutorial on creating user accounts.

by Justin Ellingwood
Nginx is one of the most popular web servers in the world and is responsible for hosting some of the largest and highest-traffic sites on the internet. It is more resource-friendly than Apache in most cases and can be used as a web server or a reverse proxy. In this guide,...
  • Hey Fishy

    Thanks for helping me understand this more. I’m already using key files but with passwords and have setup a sudo user today (using a seperate keyfile). I’m working on learning more and as far as I can see the only things I’ve installed are nginx, fail2ban and htop. The first two seem to need to be in root (nginx worker process is already not on root, but from what I gather the master normally has to be on root due to the ports it needs to listen on) and htop seems to only run when I use the command (which will now be in non root user). I’ll work on further hardening my setup and learning more about ubuntu.

    Thanks very much for your help, the link had a lot of great info which I implemented today!