RStudio Pro Session Security
Posit Workbench includes a number of options which can help harden the surface of the RStudio Pro IDE itself. The settings in this section all apply to the IDE’s user interface for RStudio Pro Sessions.
Remember that RStudio Pro is an interface to R itself, which has a variety of tools that can access the file system and shell as the user themselves. Follow security best practices by relying on operating system-level permissions, not front end restrictions, to guard access to sensitive content and files.
Limit idle time
By default, Workbench allows users to be idle for up to an hour before automatically signing them out. If your users work with sensitive data, you may wish to decrease this.
/etc/rstudio/rserver.conf
auth-timeout-minutes=20See Inactivity Timeout for details.
Restrict system directory access
RStudio Pro can optionally prevent users from browsing to system directories; see Restricted directories for details. Enable this feature as follows:
/etc/rstudio/rsession.conf
restrict-directory-view=1Limit the port range available to sessions
RStudio Pro sessions communicate with the Workbench server on a random port chosen from /proc/sys/net/ipv4/ip_local_port_range. In cases where this range is too wide – usually because there is a firewall between nodes in a load-balanced configuration or when launching sessions on Slurm – you can limit it:
/etc/rstudio/rsession.conf
session-port-range=59000-59999Note that this setting cannot be used whe launching sessions on Kubernetes, and sessions will fail to start when it is present.
Disable external publishing
RStudio Pro includes support for publishing to several external services, including RPubs and Shinyapps.io. If your users work with sensitive information, you should disable publishing to these services as follows:
/etc/rstudio/rsession.conf
allow-external-publish=0Disable other features
The are a few other features you should consider disabling. We have not included them in our Example Secure Configuration because they can impede productivity for end users.
The following features are configured in the /etc/rstudio/rsession.conf file:
- Disable shell access (
allow-shell=0); disables the Terminal tab used to execute system commands - Disable file downloads (
allow-file-downloads=0); disables downloading files using the Files pane - Disable file uploads (
allow-file-uploads=0); disables uploading files using the Files pane - Disable package installation (
allow-package-installation=0); disables the user interface for installing R packages
Regardless of the values of these settings, users can execute system commands, install packages, and upload and download content using R itself.