Fix “Permission Denied” Error When Cloning Git Repo as www-data User in Ubuntu 14.04


2 views

When trying to clone a Git repository as the www-data user in Ubuntu 14.04 using:

sudo -u www-data git clone git@....../test.git

We encounter the warning:

warning: unable to access '/root/.config/git/attributes': Permission denied

Interestingly, this works perfectly fine in Ubuntu 12.04 and when executed by a regular user with sudo privileges.

The issue stems from Git's configuration lookup behavior. When running commands with sudo -u, Git still tries to access configuration files in the original user's home directory (root in this case) rather than the target user's (www-data).

Key observations:

  • Git version 1.9.1 and 2.1.1 both exhibit this behavior
  • Only occurs when running directly as root user
  • Works fine when executed by a regular user with sudo privileges

Solution 1: Set Proper Git Configuration for www-data

Create a proper Git configuration for the www-data user:

sudo -u www-data mkdir -p /var/www/.config/git
sudo -u www-data git config --global --file /var/www/.config/git/config user.name "Web Server"
sudo -u www-data git config --global --file /var/www/.config/git/config user.email "webserver@example.com"

Solution 2: Environment Variable Override

Tell Git where to look for configuration by setting environment variables:

sudo -u www-data env XDG_CONFIG_HOME=/var/www/.config git clone git@....../test.git

Or make it permanent by adding to your sudoers file:

Defaults env_keep += "XDG_CONFIG_HOME"

Solution 3: System-wide Git Configuration

Create a system-wide Git configuration that will be used by all users:

sudo mkdir -p /etc/gitconfig
sudo git config --system user.name "Server User"
sudo git config --system user.email "server@example.com"

For more complex scenarios, create a wrapper script that properly sets up the environment:

#!/bin/bash
# git-as-www-data wrapper
export XDG_CONFIG_HOME=/var/www/.config
exec /usr/bin/git "$@"

Then use it like:

sudo -u www-data git-as-www-data clone git@....../test.git

The difference comes from changes in Git's configuration file lookup behavior between versions and Ubuntu's default environment handling. Ubuntu 14.04 uses a more strict permission model and different default paths for configuration files.

For production servers, we recommend:

  1. Never run Git operations directly as root
  2. Create a dedicated deployment user instead of using www-data
  3. Set up proper SSH keys and permissions for the deployment user
  4. Use system-wide Git configuration when appropriate

Example deployment user setup:

sudo adduser --system --group deploy
sudo mkdir -p /home/deploy/.ssh
sudo chown -R deploy:deploy /home/deploy
sudo -u deploy ssh-keygen -t rsa -b 4096 -C "deploy@server"

When attempting to perform Git operations as the www-data user on Ubuntu Server 14.04 using the command:

sudo -u www-data git clone git@repository/path.git

You encounter the warning message:

warning: unable to access '/root/.config/git/attributes': Permission denied

The issue stems from Git's configuration lookup behavior. When running Git commands with sudo -u, the following occurs:

  • Git attempts to read configuration files from both system-wide and user-specific locations
  • The process still inherits some environment variables from the root user
  • Git 1.9.1+ on Ubuntu 14.04 has stricter permission checking for config files

Solution 1: Create Proper Configuration for www-data

Create a dedicated Git configuration for the web server user:

sudo -u www-data mkdir -p /var/www/.config/git
sudo -u www-data git config --global --file /var/www/.config/git/config user.name "Web Server"
sudo -u www-data git config --global --file /var/www/.config/git/config user.email "webserver@domain.com"

Solution 2: Environment Variable Override

Explicitly set the XDG_CONFIG_HOME variable when running Git commands:

sudo -u www-data XDG_CONFIG_HOME=/var/www/.config git clone git@repository/path.git

Solution 3: System-wide Git Configuration

Configure system-wide defaults in /etc/gitconfig:

[core]
    attributesfile = /etc/gitattributes

For persistent issues, check the actual file operations using strace:

sudo -u www-data strace -e open git clone git@repository/path.git 2>&1 | grep config

This will show exactly which configuration files Git is attempting to access during the operation.

  • Avoid running Git operations directly as root when possible
  • Consider setting up a deployment-specific user instead of using www-data
  • For CI/CD pipelines, create isolated environments with proper permissions