Build A Complete Linux Media Server – Install transmission-daemon running as nobody

This entry is part 3 of 6 in the series Complete Linux Media Server

Install transmission-daemon

You could be forgiven for thinking that a simple “apt-get install” would suffice to install transmission-daemon and thoretically it does.

However! We want this set up securely and neatly as there are other components which need to interact with transmission and its files and directories and ideally we will have all of these running as user “nobody:nogroup”.

Install the Software

merlin@merlin:~$ sudo apt-get install transmission-daemon

Configure transmission-daemon to run as user nobody

If we now check our running processes, transmission is configured to run as user “debian-transmsission” – totally fine and secure but not quite what we want:

merlin@merlin:~$ ps aux | grep transmission
debian-+  1356  0.1  0.5  30708  6064 ?        Ssl  20:45   0:00 /usr/bin/transmission-daemon -f --log-error

We need to make the following edits and permission changes:

  1. Stop the daemon:
    • /etc/init.d/transmission-daemon stop
  2. Edit /etc/init.d/transmission-daemon and change the user:
    • change USER=debian-transmission to USER=nobody:nogroup and save the file
  3. As debian now uses systemd to manage services we also need to change the service “Unit” to reflect the different user. Edit the /lib/systemd/system/transmission-daemon.service file and change the following:
    •  User=debian-transmission to User=nobody
    • Add the absolute path of the config file to the end of the ExecStart line to workaround a slight bug with $HOME variables, the line should read:
      ExecStart=/usr/bin/transmission-daemon -f --log-error --config-dir=/var/lib/transmission-daemon/info
    • Save the file and reload the system configuration:
      sudo systemctl daemon-reload
  4. We now need to make sure that user nobody has permissions to the relevant files and directories:
    • merlin@merlin:~$ sudo chown -R nobody:nogroup /var/lib/transmission-daemon/
    • merlin@merlin:~$ sudo chown -R nobody:nogroup /etc/transmission-daemon

Set the UDP Send and Receive Buffers

The daemon will now start and run as user nobody:

merlin@merlin:~$ ps aux | grep trans
nobody     418  0.5  1.7  60628 18512 ?        Ssl  09:38   0:14 /usr/bin/transmission-daemon -f --log-error --config-dir=/var/lib/transmission-daemon/info

Tailing /var/log/syslog while restarting the service shows the following errors:

UDP Failed to set receive buffer: requested 4194304, got 327680 (tr-udp.c:78)
Failed to set send buffer: requested 1048576, got 327680 (tr-udp.c:89)

Transmission is requesting a 4MB receive buffer and a 1MB send buffer but not getting them. This can be swiftly corrected by adding the values to the sysctl.conf file and then refreshing with “sysctl -p”:

echo 'net.core.rmem_max = 4194304' >> /etc/sysctl.conf
echo 'net.core.wmem_max = 1048576' >> /etc/sysctl.conf
sysctl -p

You can also try using larger buffers to tweak performance e.g. 16MB receive buffer and 4MB send as below:

echo 'net.core.rmem_max = 16777216' >> /etc/sysctl.conf
echo 'net.core.wmem_max = 4194304' >> /etc/sysctl.conf

Once the values have been applied, a restart should be smooth and error free.

Change Default User Credentials & Allow Network GUI Access

As this is a headless server we are unlikely to be accessing it from localhost very often. Default settings allow only connections from 127.0.0.1 so edit the /etc/transmission-daemon/settings.json file and either add allowed IPs to the whitelist or disable the whitelist altogether (change rpc-enabled to false) – the latter should only be done if the server is not directly connected to the internet where anyone could access it!

  1. Stop the daemon before editing, otherwise your changes will be overwritten when the service is stopped / started later:
    merlin@merlin:~# sudo /etc/init.d/transmission-daemon stop
  2. Edit /etc/transmission-daemon/settings.json, look for the settings and change them as applicable:
    • Delete the hashed password between the quotes in this line and replace it with your new plain text password – transmission will automatically hash it as soon as it restarts:
      "rpc-password": "{b21ebef271608102725706c76924ca596ca0d3e6CA5En8YL",
    • Find the following line and change the username:
      "rpc-username": "transmission",
    • Either add your allowed IP(s) to the whitelist or set the enabled parameter to false to allow access from any IP:
      "rpc-whitelist": "127.0.0.1", "rpc-whitelist-enabled": true,
  3. Restart the service and you should now be able to connect via either the web gui or a front-end app e.g. Transmission Remote GUI

Implement a Blocklist (Optional)

In the Transmission Remote GUI go to Tools -> Transmission Options -> Network (WAN). Select “Enable blocklist” and enter the URL of your favourite blocklist provider. Generally the following is ample:

http://list.iblocklist.com/?list=bt_level1&fileformat=p2p&archiveformat=gz

enable blocklist
Click OK and then Tools -> Update Blocklistupdate blocklist

References

 

Series Navigation<< Build A Complete Linux Media Server – Debian Server InstallBuild A Complete Linux Media Server – Install Nzbget >>

One Reply to “Build A Complete Linux Media Server – Install transmission-daemon running as nobody”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.