From c6748dc4501f418b75fd23f509f23f8d0ebeb220 Mon Sep 17 00:00:00 2001
From: "Dimas D. Angga" <email.dimasdarfiangga@gmail.com>
Date: Wed, 20 May 2026 09:32:49 +0700
Subject: [PATCH] fix(mastercontainer): run session-deduplicator as www-data

The session-deduplicator only touches files under /mnt/docker-aio-config/session/, which is already owned by www-data, so running it as root grants more privilege than it needs. Dropping to www-data reduces the number of root-owned processes in the mastercontainer and follows least-privilege for the supervisord program set.
---
 Containers/mastercontainer/supervisord.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Containers/mastercontainer/supervisord.conf b/Containers/mastercontainer/supervisord.conf
index df682fff..aa310a16 100644
--- a/Containers/mastercontainer/supervisord.conf
+++ b/Containers/mastercontainer/supervisord.conf
@@ -54,7 +54,7 @@ stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=/session-deduplicator.sh
-user=root
+user=www-data
 
 [program:domain-validator]
 # Logging is disabled as otherwise all attempts will be logged which spams the logs