Permission issue when attempting to use an alternate webui for Transmission

Lxx · June 4, 2023, 3:04pm

Hi everyone.

I want to replace the default webui of Transmission with something like Flood. I couldn’t find a NixOS option for this so I’ve turned to the manual method of setting the enviroment variable TRANSMISSION_WEB_HOME. NixOS seems to export this variable as expected however when accessing the webui Transmission claims it does not have permission to read the files. I have run chown -R media:media and chmod -r 777 on the webui folder and ls -l /var/lib/transmission/web confirms the files should be accessible:

Permissions Size User  Date Modified Name
drwxrwxrwx     - media 18 apr 20:04  build
drwxrwxrwx     - media 18 apr 20:04  fonts
drwxrwxrwx     - media 18 apr 20:04  images
drwxrwxrwx     - media 18 apr 20:04  style
.rwxrwxrwx  1,3k media 18 apr 20:04  index.html
.rwxrwxrwx  2,2k media 18 apr 20:04  sw.js
.rwxrwxrwx   14k media 18 apr 20:04  workbox-d249b2c8.js
.rwxrwxrwx    25 media 18 apr 20:04  config.json
.rwxrwxrwx  3,8k media 18 apr 20:04  sw.js.map
.rwxrwxrwx  137k media 18 apr 20:04  workbox-d249b2c8.js.map
.rwxrwxrwx   477 media 18 apr 20:04  manifest.webmanifest
.rwxrwxrwx   238 media 18 apr 20:04  browserconfig.xml

● transmission.service - Transmission BitTorrent Service
     Loaded: loaded (/etc/systemd/system/transmission.service; enabled; preset: enabled)
     Active: active (running) since Sun 2023-06-04 16:59:12 CEST; 6min ago
    Process: 41076 ExecStartPre=/nix/store/98smy0izzn1sgxagy8j6yqfa8jwyi5hi-transmission-prestart (code=exited, status=0/SUCCESS)
   Main PID: 41080 (transmission-da)
         IP: 21.7K in, 12.9K out
         IO: 0B read, 4.0K written
      Tasks: 3 (limit: 9414)
     Memory: 18.6M
        CPU: 320ms
     CGroup: /system.slice/transmission.service
             └─41080 /nix/store/1lsdzdw5crv70928dpzsm7swp8ixyi2b-transmission-3.00/bin/transmission-daemon -f -g /var/lib/transmission/.config/transmission-daemon

jun 04 16:59:13 helios transmission-daemon[41080]: [2023-06-04 16:59:13.722] Port Forwarding (NAT-PMP) sendpublicaddressrequest succeeded (2) (/build/source/libtransmission/natpmp.c:73)
jun 04 16:59:21 helios transmission-daemon[41080]: [2023-06-04 16:59:21.720] Port Forwarding State changed from "Not forwarded" to "Starting" (/build/source/libtransmission/port-forwarding.c:106)
jun 04 16:59:21 helios transmission-daemon[41080]: [2023-06-04 16:59:21.720] Port Forwarding (NAT-PMP) readnatpmpresponseorretry succeeded (0) (/build/source/libtransmission/natpmp.c:73)
jun 04 16:59:21 helios transmission-daemon[41080]: [2023-06-04 16:59:21.720] Port Forwarding (NAT-PMP) Found public address "176.10.146.132" (/build/source/libtransmission/natpmp.c:138)
jun 04 16:59:21 helios transmission-daemon[41080]: [2023-06-04 16:59:21.720] Port Forwarding (NAT-PMP) sendnewportmappingrequest succeeded (12) (/build/source/libtransmission/natpmp.c:73)
jun 04 16:59:21 helios transmission-daemon[41080]: [2023-06-04 16:59:21.720] Couldn't read "/var/lib/transmission/web/index.html": Permission denied (/build/source/libtransmission/utils.c:286)
jun 04 16:59:21 helios transmission-daemon[41080]: [2023-06-04 16:59:21.720] Port Forwarding (NAT-PMP) readnatpmpresponseorretry succeeded (0) (/build/source/libtransmission/natpmp.c:73)
jun 04 16:59:21 helios transmission-daemon[41080]: [2023-06-04 16:59:21.720] Port Forwarding (NAT-PMP) Port 51413 forwarded successfully (/build/source/libtransmission/natpmp.c:222)
jun 04 16:59:21 helios transmission-daemon[41080]: [2023-06-04 16:59:21.720] Port Forwarding State changed from "Starting" to "Forwarded" (/build/source/libtransmission/port-forwarding.c:106)
jun 04 17:05:57 helios transmission-daemon[41080]: [2023-06-04 17:05:57.718] Couldn't read "/var/lib/transmission/web/index.html": Permission denied (/build/source/libtransmission/utils.c:286)

Any ideas what’s causing this and how I can resolve it?

NixOS Transmission config:

{pkgs, ...}: {
  boot.kernel.sysctl."net.core.wmem_max" = 1048576;
  systemd.services.transmission = {
    enable = true;
    serviceConfig = {
      BindPaths = ["/DATA"];
    };
    environment = {TRANSMISSION_WEB_HOME = "/var/lib/transmission/web";};
  };

  services.transmission = {
    enable = true;
    user = "media";
    group = "media";
    performanceNetParameters = true;
    openPeerPorts = true;
    openRPCPort = true;
    home = "/var/lib/transmission";
    settings = {
      alt-speed-up = 10;
      rpc-port = 7000;
      alt-speed-down = 150;
      blocklist-enabled = true;
      blocklist-url = "https://github.com/sahsu/transmission-blocklist/releases/latest/download/blocklist.gz";
      rpc-bind-address = "0.0.0.0";
      rpc-whitelist-enabled = false;
      peer-port = 51413;
      incomplete-dir-enabled = true;
      incomplete-dir = "/DATA/D4/TM/incomplete";
      download-dir = "/DATA/D4/TM/complete";
      download-queue-enabled = true;
      download-queue-size = 10;
      idle-seeding-limit = 20;
      idle-seeding-enabled = true;
      ratio-limit-enabled = true;
      ratio-limit = 5;
      umask = 2;
    };
  };
}

rnhmjoj · June 4, 2023, 3:51pm

It’s due to the hardening of the service: transmission only has access to services.transmission.home, /etc, /run and /nix/store.
I think the proper solution would be

environment.TRANSMISSION_WEB_HOME = pkgs.fetchzip
  { url = "https://github.com/johman10/flood-for-transmission/releases/download/latest/flood-for-transmission.zip"; 
    sha256 = "alsHOTF8EEF7iUNHvLC21V3VRVoYQSs78g2r7YGTDeQ=";
  };

The result is accessible read-only from the Nix store, so it should work.

Lxx · June 4, 2023, 5:36pm

Useful to know, thanks. Also explains a similar issue I was having with completed torrents.

rnhmjoj:

I think the proper solution would be

environment.TRANSMISSION_WEB_HOME = pkgs.fetchzip
  { url = "https://github.com/johman10/flood-for-transmission/releases/download/latest/flood-for-transmission.zip"; 
    sha256 = "alsHOTF8EEF7iUNHvLC21V3VRVoYQSs78g2r7YGTDeQ=";
  };

Unfortunately this still results in permission denied:

jun 04 19:22:02 helios transmission-daemon[49444]: [2023-06-04 19:22:02.472] Couldn't read "/nix/store/scx2r70fqv5wd4s8l9kixpnfs8c1b3p7-source/index.html": Permission denied (/build/source/libtransmission/utils.c:286)

rnhmjoj · June 4, 2023, 6:51pm

I’m not sure… the /nix/store should be allowed: transmission wouldn’t be able to start otherwise. What does this shows?

systemctl cat transmission | grep Bind

Lxx · June 4, 2023, 7:06pm

BindPaths=/var/lib/transmission/.config/transmission-daemon
BindPaths=/DATA/D4/TM/complete
BindPaths=/DATA/D4/TM/incomplete
BindPaths=/DATA
BindReadOnlyPaths=/nix/store
BindReadOnlyPaths=/etc
BindReadOnlyPaths=/run

TLATER · June 4, 2023, 7:29pm

Transmission also seems to do some apparmor things, maybe that’s getting in the way? I don’t think it’s enabled by default, though.

Lxx · June 4, 2023, 7:36pm

Disabling apparmor solved it. Thank you!

TLATER · June 4, 2023, 8:01pm

Certainly one way to fix it, but you could probably also just fix the apparmor config to include that path: https://github.com/NixOS/nixpkgs/blob/c37ca420157f4abc31e26f436c1145f8951ff373/nixos/modules/services/torrent/transmission.nix#L464

That said, not much experience with apparmor myself.

al3x · June 14, 2023, 6:21am

My workaround was to use an overlay to copy it to the existing web directory (in addition to setting TRANSMISSION_WEB_HOME:

{ pkgs, ... }:

let
  flood = pkgs.fetchzip {
    url =
      "https://github.com/johman10/flood-for-transmission/releases/download/2023-04-18T18-03-53/flood-for-transmission.zip";
    hash = "sha256-alsHOTF8EEF7iUNHvLC21V3VRVoYQSs78g2r7YGTDeQ=";
  };
in {
  nixpkgs.overlays = [
    (self: super: {
      transmission = super.transmission.overrideAttrs (old: {
        postInstall = old.postInstall + ''
          cp -R ${flood} $out/share/transmission/web/flood
        '';
      });
    })
  ];

  systemd.services.transmission.environment.TRANSMISSION_WEB_HOME =
    "${pkgs.transmission}/share/transmission/web/flood";
};

Edit: You might as well replace the original web UI if you’re overriding the package. Then you don’t need to set TRANSMISSION_WEB_HOME:

{ pkgs, ... }:

let
  flood = pkgs.fetchzip {
    url =
      "https://github.com/johman10/flood-for-transmission/releases/download/2023-04-18T18-03-53/flood-for-transmission.zip";
    hash = "sha256-alsHOTF8EEF7iUNHvLC21V3VRVoYQSs78g2r7YGTDeQ=";
  };
in {
  nixpkgs.overlays = [
    (self: super: {
      transmission = super.transmission.overrideAttrs (old: {
        postInstall = old.postInstall + ''
          rm -rf $out/share/transmission/web
          cp -R ${flood} $out/share/transmission/web/flood
        '';
      });
    })
  ];
};