What this error means
Git protects you from running commands in a repository owned by a different user (or with mismatched permissions). When it detects this, it aborts with:
fatal: detected dubious ownership in repository
You can fix it by either making the repository owner match the current user, or explicitly trusting the path via safe.directory.
Quickstart (the two safe fixes)
- Preferred: make the repo owned by your current user.
- Linux/macOS:
sudo chown -R $(id -u):$(id -g) /path/to/repo - Windows (Git Bash/PowerShell): adjust directory ownership via system tools (e.g., Properties → Security) or re-clone under your user profile.
- Linux/macOS:
- Alternative: trust the repository path with safe.directory (use only for repos you trust).
- All platforms:
git config --global --add safe.directory /absolute/path/to/repo
- All platforms:
Verify with git status after applying one of the above.
Minimal working example (reproduce and fix)
# Linux/macOS demo
mkdir -p /tmp/demo && cd /tmp/demo
git init
printf "hi\n" > file.txt
git add file.txt && git commit -m "init"
# Run Git as root (simulates a different owner)
sudo git status # Expect: fatal: detected dubious ownership
# Fix 1: trust this path for the current (root) user config
sudo git config --global --add safe.directory /tmp/demo
sudo git status # Works now
# Alternatively, instead of trusting, fix ownership for your normal user
sudo chown -R $(id -u $USER):$(id -g $USER) /tmp/demo
# Then run as your normal user:
cd /tmp/demo && git status
Windows (Git for Windows example):
# Use forward slashes in config paths
git config --global --add safe.directory C:/dev/my-repo
Step-by-step diagnosis
- Confirm the path and error
- Run
git statusin the repo root; note the exact path shown in the error.
- Run
- Check ownership/UID
- Linux/macOS:
ls -ld . .gitorstat . - Windows: check file owner via Properties → Security.
- Linux/macOS:
- Decide your approach
- If the owner is wrong (e.g., root, another user, or a mapped UID), fix ownership.
- If the owner cannot be changed (CI, container, shared mount), add a safe.directory entry for that absolute path.
- Apply fix and verify
- Re-run
git statusandgit config --show-origin --get-all safe.directoryto confirm.
- Re-run
Common scenarios and exact commands
| Scenario | Recommended fix |
|---|---|
| Using sudo inside a repo owned by your user | Avoid sudo; or if truly needed, as root run: git config --global --add safe.directory $(pwd) |
| CI runner or Docker container runs as root on mounted workspace | Prefer non-root user matching host UID: docker run --user $(id -u):$(id -g); else: git config --global --add safe.directory /workspace or chown -R 1000:1000 /workspace |
| WSL accessing Windows files under /mnt/c | In WSL: git config --global --add safe.directory /mnt/c/Path/To/repo |
| Git for Windows on C:\ path | git config --global --add safe.directory C:/Path/To/repo |
| Network share with mismatched ownership (NFS/SMB) | Fix UID/GID mapping on the mount; if not possible, add safe.directory for the share path |
| Many trusted repos on a build box | Add each path explicitly; avoid the wildcard unless the box is controlled |
Note: safe.directory entries are per-Git-install user. If you run Git as different users (e.g., root vs dev), configure each user separately or use --system where appropriate in controlled environments.
When to use which fix
- Change ownership when you control the filesystem and user accounts. This is the safest long-term option.
- Use safe.directory in ephemeral or constrained environments (CI, containers, read-only mounts) where changing ownership is impractical.
- Avoid running Git as root unless you must. It complicates configs and file permissions.
Pitfalls and gotchas
- Use absolute, canonical paths. Git resolves real paths; entries like
~or relative paths might not match. Prefergit config --global --add safe.directory "$(pwd)"from the repo. - Different user = different config. If the error occurs under sudo/root, the entry must be set in that user’s Git config (e.g.,
sudo git config --global ...). - Windows slashes. In Git config, prefer forward slashes:
C:/repo, not backslashes. - Symlinks/casing. safe.directory compares the resolved path. Ensure the case and symlink target match the actual repo path.
- Over-broad trust.
git config --global --add safe.directory '*'trusts all directories. Only use on tightly controlled machines (e.g., dedicated CI runners). Avoid on developer laptops.
Performance notes
- Ownership fix scope. The check is on the repo directory; you usually do not need to chown the entire working tree. Minimal commands:
sudo chown $(id -u):$(id -g) .andsudo chown -R $(id -u):$(id -g) .gitThis avoids traversing large working trees.
- Large repos. Running
chown -Ron huge repos can be slow; prefer adjusting only the top-level and .git directory when possible. - CI speed. Using a non-root UID-matched container avoids repeated chown/safe.directory setup and speeds up jobs.
Verify your fix
# Show all trusted directories and where they are set from
git config --show-origin --get-all safe.directory
# Confirm Git works again
git status
Removing or changing entries
# Remove a specific path from trust list
git config --global --unset safe.directory /absolute/path/to/repo
# Remove all entries
git config --global --unset-all safe.directory
Tiny FAQ
Why does Git block on “dubious ownership”?
To prevent executing hooks or reading config from directories controlled by other users, which could be a security risk.Is safe.directory safe to use?
Yes, if you trust the path and its owner. Only add paths you control.What Git version supports safe.directory?
Git 2.35+ introduced it. Upgrade if the config is not recognized.Can I trust all directories?
safe.directory '*'is supported but risky. Prefer explicit paths.Do I need to trust submodules separately?
Yes, each submodule path may need its own safe.directory entry if ownership differs.
