Skip to main content

How to run Posit Connect as an unprivileged user

Kelly O'Briant
  • Updated

Requires: Posit Connect Advanced 2025.06.0+

Posit Connect runs as the privileged root user in standard installations. This default allows Connect to manage files and run processes for multiple Unix users. However, some organizations have security requirements that prohibit deploying applications that require root privileges.

Starting in the 2025.06.0 release, Posit supports running Connect as an unprivileged user. This configuration is for environments that do not require the use of multiple Unix users within Connect. It currently requires a Posit Connect Advanced license in addition to meeting the configuration requirements and limitations listed below.

To make an inquiry about trialing or upgrading to a Posit Connect Advanced license, please reach out to your sales or customer success rep, or send us an email: sales@posit.co.

Limitations and Prerequisites

Running Connect as an unprivileged user has specific limitations:

  • Kubernetes-Exclusive Deployment: This capability is currently only available in environments using off-host execution with Kubernetes. Future updates may extend this to other configurations.
  • Feature Limitations: The following features are not supported:
    • PAM authentication
    • Current-user execution (Applications.RunAsCurrentUser)
    • Customizing the run_as user for deployed content
    • Using multiple Unix users within Connect
    • The use of license keys instead of license files

The Posit Connect documentation provides a complete list of configuration requirements and a Helm configuration example.

Migration from Root Configuration

If your Connect server previously ran as root, permissions for the Connect variable data must be adjusted. Additionally, any configuration setting which specifies a file or directory path must be available to the Unix user running the Connect process.

Reference the example provided in the Admin Guide to execute a chown command against your data volume. Do not perform this action while any Connect instance is actively using the data volume.

Related articles

Comments

0 comments

Article is closed for comments.