RStudio Connect requires root privileges for installation and at run-time.
RStudio Connect is a publishing platform for R that enables authorized publishers to deploy R code onto the server. The RStudio Connect process runs as the root user so that it can create “unshare” environments that isolate the R processes it spawns from one another. This ensures that no application published to the server has access to the resources associated with any other application on the server. For the specifics of this “sandboxing” process, see this section of the Admin Guide.
Any R process that will be invoking user code is spawned in such a sandbox, and runs as a non-privileged user (by default, the
rstudio-connect user). Global and content-specific overrides for the execution user are supported.
If the service were to run as a non-root user, we would not be able to isolate users applications from one another. In this scenario, all R processes would run as the same user without any sandboxing, which would enable any publisher to access all source code and data from any other piece of content on the server. Even if your threat model assumes that all publishers are noble and trustworthy, you would still need to worry about the impact of a publisher’s credentials being compromised by a malicious actor, or a published application containing a flaw that would allow an attacker to gain arbitrary code execution capabilities on the server.
While some organizations prefer to run software as a non-root user, we propose that it is in fact safer to run RStudio Connect as root; it is more likely that a publisher on your server will maliciously or accidentally publish exploitable content than it is that the mechanism for sandboxing in Linux will be compromised.