RStudio Pro Session Security

Posit Workbench includes a number of options which can help harden the surface of the RStudio Pro IDE itself. The settings in this section all apply to the IDE’s user interface for RStudio Pro Sessions.

Remember that RStudio Pro is an interface to R itself, which has a variety of tools that can access the file system and shell as the user themselves. Follow security best practices by relying on operating system-level permissions, not front end restrictions, to guard access to sensitive content and files.

Limit idle time

By default, Workbench allows users to be idle for up to an hour before automatically signing them out. If your users work with sensitive data, you may wish to decrease this.

/etc/rstudio/rserver.conf
auth-timeout-minutes=20

See Inactivity Timeout for details.

Restrict system directory access

RStudio Pro can optionally prevent users from browsing to system directories; see Restricted directories for details. Enable this feature as follows:

/etc/rstudio/rsession.conf
restrict-directory-view=1

Limit the port range available to sessions

RStudio Pro sessions communicate with the Workbench server on a random port chosen from /proc/sys/net/ipv4/ip_local_port_range. In cases where this range does not align with a firewall but modifying the kernel parameter itself is undesirable because of the impact on other applications, the port range used by RStudio Pro sessions can be limited directly:

/etc/rstudio/rsession.conf
session-port-range=59000-59999

A typical use case is to accommodate a firewall between the Workbench server and sessions running on another node. This may be useful when running Workbench in a load-balanced configuration, or when running sessions on compute nodes in a Slurm cluster.

Note that this setting cannot be used whe launching sessions on Kubernetes, and sessions will fail to start when it is present.

Disable external publishing

Workbench

RStudio Pro includes support for publishing to several external services, including RPubs and Shinyapps.io. If your users work with sensitive information, you should disable publishing to these services as follows:

/etc/rstudio/rsession.conf
allow-external-publish=0

Disable other features

Workbench

The are a few other features you should consider disabling. We have not included them in our Example Secure Configuration because they can impede productivity for end users.

The following features are configured in the /etc/rstudio/rsession.conf file:

  • Disable shell access (allow-shell=0); disables the Terminal tab used to execute system commands
  • Disable file downloads (allow-file-downloads=0); disables downloading files using the Files pane
  • Disable file uploads (allow-file-uploads=0); disables uploading files using the Files pane
  • Disable package installation (allow-package-installation=0); disables the user interface for installing R packages
Note

Regardless of the values of these settings, users can execute system commands, install packages, and upload and download content using R itself.

Back to top