RStudio webserver security issue

aaronpeikert / reproducible-research

A Reproducible Data Analysis Workflow with R Markdown, Git, Make, and Docker

https://psyarxiv.com/8xzqy/

Creative Commons Attribution 4.0 International

122 stars 17 forks source link

RStudio webserver security issue #41

Closed brandmaier closed 4 years ago

brandmaier commented 4 years ago

Is it a potential security issue to run RStudio on a local port (which accidentally could be open in a LAN/WAN? Mention this issue? Or tell people not to use 8787 but a number they come up with?

aaronpeikert commented 4 years ago

That is indeed a critical security issue: https://www.tripwire.com/state-of-security/devops/psa-beware-exposing-ports-docker/ So you are correct in your guess that this port is opened to the network of the user. I think we can mitigate the issue with this answer: https://superuser.com/questions/1171108/expose-docker-port-internally

aaronpeikert commented 4 years ago

@brandmaier do you think this is enough?

aaronpeikert commented 4 years ago

Could @brandmaier you check that you can run docker run -e PASSWORD=test -p 127.0.0.1:8787:8787 reproducible-research and then connect via web-browser?

brandmaier commented 4 years ago

Confirm that this works on macOS.