Root requirements for Shiny Server

Shiny Server requires root privileges for installation and certain operations. Note that root privileges are also required for installing R.

sudo yum install R
sudo yum install --nogpgcheck <shiny-server-package.rpm>

Generally speaking, the shiny-server process will be started as the root user and then spawn new processes as directed in the configuration file. Shiny Server Pro will run as root if any of these features are enabled:
  • If user_apps or user_dirs is enabled for any location. In order to host applications as various users, Shiny Server must have root privileges.
  • If your configuration uses run_as to spawn applications as multiple different users.
  • If you're running any server on a privileged port (a port in the range of 1-1024).
  • If you're using auth_pam to leverage PAM authentication. (Pro only)
  • If you're using auth_google and store your client secret in a file. (Pro only)
  • If you specify a value for metrics_user (Pro only)
You can, however, run the shiny-server process as a non-privileged user if none of the features above are required.
To run the shiny-server process as a non-privileged user:
  1. Specify the run_as directive at the top of /etc/shiny-server/shiny-server.conf:
    run_as user;
    This directive will apply to all applications and locations defined in the configuration file. There should not be any other run_as directives.

  2. Ensure that the user has write privileges on these paths (recursively):

    • /var/lib/shiny-server/ (or whatever custom SHINY_DATA_DIR setting you are using)
    • /var/log/shiny-server/ (and/or whatever other directories you use for logging)

    and read privileges on these paths (recursively):

    • /srv/shiny-server/ (and/or whatever other directories you are using to host Shiny applications)
    • /opt/shiny-server/
    • /etc/shiny-server/ (Note that you should enable only read access on this directory, as you likely don't want to allow your Shiny applications (which also run as shiny) to be able to write to your configuration or password file.)

    Finally, if the directory /tmp/shiny-server/ exists, it (and all files within it) should be owned by the user you specify.

  3. Restart the shiny server process. Starting a process as a non-root user will depend on the service dameon and IT polocies. For reference, the binary is located at /opt/shiny-server/bin/shiny-server.

One way to control the scope of root access is to install Shiny Server in a VM or docker. That way root access will be bound to the instance as opposed to the physical server.

See also: running-shiny-server-with-root-privileges, Root Requirements for RStudio Workbench / RStudio Server