diff --git a/conf/sudoers.conf b/conf/sudoers.conf
new file mode 100644
index 0000000..fd5f84a
--- /dev/null
+++ b/conf/sudoers.conf
@@ -0,0 +1,12 @@
+Cmnd_Alias HOTSPOT_YUNOHOST = /usr/bin/yunohost app info hotspot *,\
+                              /usr/bin/yunohost app setting hotspot *,\
+                              /usr/bin/yunohost app setting vpnclient *
+
+Cmnd_Alias HOTSPOT_SERVICE  = /bin/systemctl stop ynh-hotspot,\
+                              /bin/systemctl start ynh-hotspot
+
+Cmnd_Alias HOTSPOT_MISC     = /usr/local/bin/ynh-hotspot *,\
+                              /usr/local/bin/iw_devices *,\
+                              /usr/local/bin/iw_multissid *
+
+__HOTSPOT_SYSUSER__ ALL = NOPASSWD: /bin/grep, HOTSPOT_YUNOHOST, HOTSPOT_SERVICE, HOTSPOT_MISC
diff --git a/scripts/install b/scripts/install
index a49a44b..4d9e9b0 100644
--- a/scripts/install
+++ b/scripts/install
@@ -45,6 +45,7 @@ wifi_passphrase=$YNH_APP_ARG_WIFI_PASSPHRASE
 firmware_nonfree=$YNH_APP_ARG_FIRMWARE_NONFREE
 
 app=$YNH_APP_INSTANCE_NAME
+sysuser="${app}"
 
 #=================================================
 # CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS
@@ -191,6 +192,19 @@ ynh_app_setting_set $app ip4_dns1 80.67.169.12
 ynh_app_setting_set $app ip4_nat_prefix 10.0.242
 ynh_app_setting_set $app vpnclient no
 
+#=================================================
+# CREATE DEDICATED USER
+#=================================================
+
+# Ensure the app has its own system user
+if ! ynh_system_user_exists ${sysuser}
+then
+  ynh_system_user_create ${sysuser}
+fi
+
+# Ensure the system user has enough sudo permissions
+install -b -o root -g root -m 0440 ../conf/sudoers.conf /etc/sudoers.d/${app}_ynh
+ynh_replace_string "__HOTSPOT_SYSUSER__" "${sysuser}" /etc/sudoers.d/${app}_ynh
 
 #=================================================
 # INSTALL CUSTOM SCRIPTS
@@ -240,10 +254,10 @@ sed 's|<TPL:NGINX_REALPATH>|/var/www/wifiadmin/|g' -i "/etc/nginx/conf.d/${domai
 sed 's|<TPL:PHP_NAME>|wifiadmin|g' -i "/etc/nginx/conf.d/${domain}.d/wifiadmin.conf"
 
 ## php-fpm
-sed 's|<TPL:PHP_NAME>|wifiadmin|g' -i /etc/php5/fpm/pool.d/wifiadmin.conf
-sed 's|<TPL:PHP_USER>|admin|g' -i /etc/php5/fpm/pool.d/wifiadmin.conf
-sed 's|<TPL:PHP_GROUP>|admins|g' -i /etc/php5/fpm/pool.d/wifiadmin.conf
-sed 's|<TPL:NGINX_REALPATH>|/var/www/wifiadmin/|g' -i /etc/php5/fpm/pool.d/wifiadmin.conf
+sed "s|<TPL:PHP_NAME>|wifiadmin|g" -i /etc/php5/fpm/pool.d/wifiadmin.conf
+sed "s|<TPL:PHP_USER>|${sysuser}|g" -i /etc/php5/fpm/pool.d/wifiadmin.conf
+sed "s|<TPL:PHP_GROUP>|${sysuser}|g" -i /etc/php5/fpm/pool.d/wifiadmin.conf
+sed "s|<TPL:NGINX_REALPATH>|/var/www/wifiadmin/|g" -i /etc/php5/fpm/pool.d/wifiadmin.conf
 
 # Fix sources
 sed "s|<TPL:NGINX_LOCATION>|${path_url}|g" -i /var/www/wifiadmin/config.php
diff --git a/scripts/remove b/scripts/remove
index 686375f..19e6bcd 100644
--- a/scripts/remove
+++ b/scripts/remove
@@ -58,6 +58,7 @@ for FILE in $(ls /etc/hostapd/hostapd.conf{.tpl?,})
 do
     ynh_secure_remove "$FILE"
 done
+ynh_secure_remove /etc/sudoers.d/hotspot_ynh
 
 # Remove packages
 if [[ $firmware_nonfree == yes ]]; then
@@ -79,3 +80,6 @@ systemctl reload nginx
 
 # Remove sources
 ynh_secure_remove /var/www/wifiadmin/
+
+# Remove user
+ynh_system_user_delete ${app}
diff --git a/sources/controller.php b/sources/controller.php
index 98a224d..d42f37c 100644
--- a/sources/controller.php
+++ b/sources/controller.php
@@ -47,7 +47,7 @@ function service_status() {
 }
 
 function service_faststatus() {
-  exec('sudo systemctl is-active hostapd', $output, $retcode);
+  exec('systemctl is-active hostapd', $output, $retcode);
 
   return $retcode;
 }