Security: Default rstudio user with password rstudio enables trivial SSH compromise when exposed to internet #134
Description
We recently experienced a security incident where several RStudio Server containers (based on Rocker images via Bioconductor) were compromised. Attackers port-scanned our infrastructure, found SSH services, and logged in using rstudio:rstudio.
Once inside, they deployed cryptocurrency mining malware. We identified the attack vector by finding malware files owned by the rstudio user, despite our application users operating under a different account.
The issue: The rstudio system user ships with a well-known default password. While SSH is not enabled by default in the image, many users add SSH access for remote administration or cloud deployments. When they do, the rstudio:rstudio credentials become an easy target - these credentials appear in common brute-force wordlists.
Suggested fix: Add passwd -l rstudio to the Dockerfile to lock the user by default. RStudio Server does not require the rstudio system user to have SSH access - it manages R sessions internally. Users who need SSH access for this user can unlock it and set their own password.
While securing our deployment is ultimately our responsibility, locking this user by default would protect future users from this common attack pattern.
docker run --rm bioconductor/bioconductor_docker:RELEASE_3_20 cat /etc/shadow | grep rstudio