Vadym/obsidian
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
obsidian/wiki/concepts/sudo-git-clone-root-ownership.md
Vadym Samoilenko 3c2d661732 vault backup: 2026-04-30 21:42:22
2026-04-30 21:42:22 +01:00

74 lines
2.2 KiB
Markdown
Raw Blame History

---
title: "sudo git clone Makes Files Root-Owned — User git Pull Fails"
aliases:
- sudo-git-clone-root-files
- git-permission-denied-fetch-head
tags:
- git
- linux
- server
- permissions
sources:
- "daily/2026-04-30.md"
created: 2026-04-30
updated: 2026-04-30
---
# sudo git clone Makes Files Root-Owned — User git Pull Fails
Running `sudo git clone` on a server creates every file and directory — including the entire `.git/` folder — owned by `root`. Any subsequent `git pull` or `git fetch` run as a regular user fails with `Permission denied` on `.git/FETCH_HEAD` (or similar index files), even though the user can read the working tree.
## Key Points
- `sudo git clone` → all files owned by `root:root`
- `git pull` as a non-root user hits a write permission error on `.git/FETCH_HEAD`
- The error message looks like a network or credential issue but is purely a filesystem ownership problem
- Fix: `sudo chown -R $USER:$USER /opt/project`
- Prevention: never use `sudo` for `git clone` unless the repo must be root-owned
## Details
### The Error
```
error: cannot open .git/FETCH_HEAD: Permission denied
```
or
```
fatal: Unable to create '/opt/project/.git/index.lock': Permission denied
```
### Fix
```bash
sudo chown -R $USER:$USER /opt/project
# Verify
ls -la /opt/project/.git/
```
### Prevention
If deploying to `/opt/` or `/srv/` (root-owned dirs), create the directory first, then clone as the service user:
```bash
sudo mkdir -p /opt/project
sudo chown deploy:deploy /opt/project
git clone git@github.com:org/project.git /opt/project
```
Or use `sudo -u deploy git clone ...` to clone as the deploy user directly.
### Why This Happens
`sudo` switches the effective UID to root. `git clone` creates all files with the current effective UID as owner. There is no `--chown` flag on `git clone`, unlike `docker cp`.
## Related Concepts
- [[wiki/concepts/monorepo-deploy-script-pitfall]] — another class of silent git failure during deploys
- [[wiki/concepts/python-service-deployment-dotenv]] — deploy checklist for Python services
## Sources
- [[daily/2026-04-30.md]] — Session 12:11, re-deploy after project folder deletion; sudo git clone footgun discovered
Reference in a new issue View git blame Copy permalink