Changing RunAs User

Default Account

The installer creates a user account and group named rstudio-pm and runs the RStudio Package Manager service under this account. See the RunAs Defaults section for more information.

Changing The RunAs Account (Service)

You can configure RStudio Package Manager to run under another account. The steps below serve as a guide for reconfiguring RStudio Package Manager to run under an account named thor with a primary group of heroes instead of the default rstudio-pm:rstudio-pm.

1. Stop the RStudio Package Manager service. See Stopping and Starting RSPM.

   # Red Hat/CentOS 6
   sudo stop rstudio-pm
   

   # Ubuntu 16+, Red Hat/CentOS 7-8, openSUSE/SLES
   sudo systemctl stop rstudio-pm
   

2. Create a new group and user account

   sudo groupadd heroes
   sudo useradd -r -g heroes -M -s /sbin/nologin thor
   

   In order to use the CLI tool, a user must be a member of the primary group of the user that starts the RStudio Package Manager service.

   In this example, RStudio Package Manager is started by the user thor. The primary group of the thor account is heroes, so users must be members of the heroes group to use the CLI.

3. Edit the service configuration

   Red Hat/CentOS 6

   sudo vi /etc/init/rstudio-pm.override
   

   Change these lines:

   env RSTUDIO_PM_USER=thor
   env RSTUDIO_PM_GROUP=heroes
   

   Ubuntu 16+, Red Hat/CentOS 7-8, openSUSE/SLES

   sudo vi /etc/systemd/system/rstudio-pm.service.d/user.conf
   

   Change these lines:

   [Service]
   User=thor
   Group=heroes
   

4. Change ownership of files and directories

   # Configuration file
   sudo chown thor:heroes /etc/rstudio-pm/rstudio-pm.gcfg
   
   # Log files
   sudo chown thor:heroes /var/log/rstudio-pm.*
   
   # Data directory (or `Server.DataDir`, if configured for a custom location)
   sudo chown -R thor:heroes /var/lib/rstudio-pm
   
   # Run directory
   sudo chown -R thor:heroes /var/run/rstudio-pm
   
   # If you have a custom `Sqlite.Dir` (e.g., `Sqlite.Dir = /database/directory`)
   sudo chown -R thor:heroes /database/directory
   
   # Temporary workspace directory for Git package builds
   # This directory is usually found under `/tmp`. If you use a custom
   # `Server.TempDir`, then it will be found at `Server.TempDir`/rspm-workspaces.
   sudo chown -R thor:heroes /tmp/rspm-workspaces
   
   # If you have any custom FileStorage configuration settings
   #
   # For example:
   #
   # [FileStorage "cache"]
   # Location = /path/to/cache
   #
   # [FileStorage "launcher"]
   # Location = /path/to/launcher
   #
   # [FileStorage "metrics"]
   # Location = /path/to/metrics
   #
   # [FileStorage "packages"]
   # Location = /path/to/packages
   #
   sudo chown -R thor:heroes /path/to/cache
   sudo chown -R thor:heroes /path/to/launcher
   sudo chown -R thor:heroes /path/to/metrics
   sudo chown -R thor:heroes /path/to/packages
   

5. Edit the Job Launcher configuration (unless running as root)

   If you wish to build Git packages, you may need to update the Job Launcher configuration to build packages under the correct account and group.

   When Running Unprivileged

   When RStudio Package Manager is running unprivileged (the default), the Job Launcher automatically runs under the same user and group as the RStudio Package Manager service. Skip this step. Using a different account for the Launcher.ServerUser configuration setting is prohibited.

   When Running Privileged

   If you are changing the RunAs user to root, the Job Launcher will automatically use the rstudio-pm user and group to build Git packages, and you may skip this step. However, you may customize the Job Launcher user and admin group by using the Launcher.ServerUser and Launcher.AdminGroup configuration settings.

   sudo vi /etc/rstudio-pm/rstudio-pm.gcfg
   

   Add or change these lines:

   [Launcher]
   ServerUser = thor
   AdminGroup = heroes
   

6. Remove remaining domain socket file (if any)

   sudo rm /var/run/rstudio-pm/rstudio-pm.sock
   

7. Start the RStudio Package Manager service. See Stopping and Starting RSPM.

   # Red Hat/CentOS 6
   sudo start rstudio-pm
   
   # Ubuntu 16+, Red Hat/CentOS 7-8, openSUSE/SLES
   sudo systemctl daemon-reload # Reload the systemd process
   sudo systemctl start rstudio-pm
   

8. Verify that the rstudio-pm service is running under the thor account.

   bash ps -axj | grep `id -u thor`

9. Check /var/log/rstudio-pm.log to verify that the server started up with no errors.

Using the New RunAs Account (CLI)

After changing the service RunAs user, your CLI users must be members of the heroes group. For example:

sudo useradd -g heroes hulk
sudo passwd hulk
su hulk
/opt/rstudio-pm/bin/rspm <command>