Skip to main content

Create a Non-Root User and Grant Sudo Access

Running as root permanently is a common habit when first receiving a VPS, but it's also one of the first things you should fix. A single command error, malicious script, or software vulnerability could then grant immediate and total access to your entire system, with no safeguards whatsoever.

This is the principle of least privilege: give each user only the permissions they actually need, nothing more.

1. Create the New User

sudo adduser john

adduser guides you through the creation step by step (password, optional information) and automatically configures several elements. It's a more user-friendly command than useradd, which is more basic and requires more manual setup.

Choose a Strong Password

Select a robust password for this new user. This account will have sudo access, so it deserves serious protection.

2. Add the User to the Sudo Group

sudo usermod -aG sudo john

On Debian/Ubuntu, the relevant group is sudo. Other distributions like CentOS/RHEL use wheel instead, but for a typical Debian/Ubuntu VPS, sudo is what you need.

Verify Before Disabling Root

Never disable root access until you've confirmed that the new user actually has sudo privileges. The same risk applies here as with a misconfigured firewall: you could end up locked out of your server.

3. Test Before Closing Anything

Open a new SSH session (keeping your current root session open as a safety precaution) and log in with the new user:

ssh john@your-ip

Then test a command with sudo:

sudo apt update

If the password is requested and the command executes, permissions are correctly configured.

User Not in Sudoers

If you get a message like john is not in the sudoers file. This incident will be reported., step 2 was either skipped or you haven't opened a new SSH session since being added to the sudo group. Reconnect and try again.

Occasional Sudo vs. Root Session

Two common ways to use sudo:

# For a single command
sudo apt install nginx

# Launch a temporary root session
sudo -i
# or
sudo su

In daily use, prefer occasional sudo over extended root sessions. This minimizes the risk of error and maintains an audit trail of every command run with elevated privileges.

Going Further: Restricted Sudo Privileges

You can limit a user's sudo permissions to specific commands only via the sudoers file (sudo visudo). This is useful, for example, when delegating limited access like restarting a specific service, without granting full system access. This is a more advanced topic that could be covered in a dedicated article.

Common Mistake

Creating the user without adding them to the sudo group, then getting stuck when you actually need it. If in doubt, groups john lets you verify that sudo appears in the list.

Once your new user is operational, it's recommended to disable direct root SSH login (PermitRootLogin in SSH configuration). Details on this procedure are covered in our dedicated article on SSH Configuration.


Summary

Creating a non-root user with sudo access is one of the very first actions to take when receiving a VPS. To continue securing your server, consult Secure a VPS.

Have a Question?

Our team is available on Discord to help you.