SvennD
RStudio Server - improved mode
April 23, 2025

RStudio Server - improved mode

Posted on April 23, 2025  •  3 minutes  • 454 words

Many of the extremely useful features in RStudio Server (free) / Workbench (paid) have been disabled by Posit, likely to encourage license purchases. That’s understandable everyone needs to make a living. However, the pricing is quite high for a research center, so we’re limited to using the free version. Since it’s a Linux-based application, we’ve managed to “hack in” some features ourselves.

create a custom login page

We are using nginx as proxy, somewhat based on the admin guide of Workbench. This is basically a requirement since sending credentials over http is a no-no! We can utilisea nginx feature sub_filter in order to replace parts of the body to customize the login page.

For example:

# replace the login page only
location /auth-sign-in 
{
    sub_filter '<body>' '<body> some fancy help message !';
    sub_filter_once on;
    proxy_set_header Accept-Encoding ""; # only required if gzip compression is on
    proxy_pass http://127.0.0.1:8787;
}

Using this method one could easily inject javascript or replace the entire page with a custom page.

creating a /home upon login

When users login for the first time (using sssd or winbind), it’s possible with Workbench to automatically create a /home/$user. This by levering the session in pam. At first, I couldn’t figure out why this didn’t work with the free version—turns out RStudio Server doesn’t open a PAM session at all. Since pam_oddjob_mkhomedir only works at the session level, not auth or account, we have to get creative again.

I modified /etc/pam.d/rstudio to :

#%PAM-1.0
# note: session is never actually called for RStudio (free)
auth       substack     password-auth
auth       [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_exec.so log=/tmp/debug_create_user.log /opt/create_user.sh
account    required     pam_unix.so

note: since we use password-auth anything in password-auth will also work in rstudio (eg sssd or winbind)

This will execute a script /opt/create_user.sh :

#!/usr/bin/env bash

# this script gets executed as root
# during PAM authentication
# it creates the user home directory
# since RStudio doesn't execute sessions :(

# don't do for root or svenn
[ "${PAM_USER}" = "root" ] && exit 0
[ "${PAM_USER}" = "svennd" ] && exit 0

echo "User: ${PAM_USER} "

# Check if the user's home directory exists
USER_HOME="/home/AD/$PAM_USER"

# define the group the user should be part of
PAM_GROUP="1002"

if [ ! -d "$USER_HOME" ]; then
    # Create the home directory if it doesn't exist
    mkdir -m 0700 "$USER_HOME"
    chown $PAM_USER:$PAM_GROUP "$USER_HOME"
    # You can also copy skeleton files if needed
    cp -ra /etc/skel/* "$USER_HOME/"
    
    # selinux
    restorecon -R -v "$USER_HOME"
fi
exit 0

Perhaps there are cleaner solutions, but this worked!

set up resource limits

Even though I didn’t do this, Jeff Stafford made a nice post about how we can set this up.

More hacks to do, let me know!

img by chatGPT

Support

If you enjoyed this website, consider buying me a Dr. Pepper

Buy me a Dr PepperBuy me a Dr Pepper