diff --git a/src/applications/diffusion/protocol/DiffusionCommandEngine.php b/src/applications/diffusion/protocol/DiffusionCommandEngine.php
--- a/src/applications/diffusion/protocol/DiffusionCommandEngine.php
+++ b/src/applications/diffusion/protocol/DiffusionCommandEngine.php
@@ -117,12 +117,16 @@
     return $this->sudoAsDaemon;
   }
 
+  protected function shouldAlwaysSudo() {
+    return false;
+  }
+
   public function newFuture() {
     $argv = $this->newCommandArgv();
     $env = $this->newCommandEnvironment();
     $is_passthru = $this->getPassthru();
 
-    if ($this->getSudoAsDaemon()) {
+    if ($this->getSudoAsDaemon() || $this->shouldAlwaysSudo()) {
       $command = call_user_func_array('csprintf', $argv);
       $command = PhabricatorDaemon::sudoCommandAsDaemonUser($command);
       $argv = array('%C', $command);
diff --git a/src/applications/diffusion/protocol/DiffusionGitCommandEngine.php b/src/applications/diffusion/protocol/DiffusionGitCommandEngine.php
--- a/src/applications/diffusion/protocol/DiffusionGitCommandEngine.php
+++ b/src/applications/diffusion/protocol/DiffusionGitCommandEngine.php
@@ -13,6 +13,20 @@
     return array($pattern, $argv);
   }
 
+  protected function shouldAlwaysSudo() {
+
+    // See T13673. In Git, always try to use "sudo" to execute commands as the
+    // daemon user (if such a user is configured), because Git 2.35.2 and newer
+    // (and some older versions of Git with backported security patches) refuse
+    // to execute if the top level repository directory is not owned by the
+    // current user.
+
+    // Previously, we used "sudo" only when performing writes to the
+    // repository directory.
+
+    return true;
+  }
+
   protected function newCustomEnvironment() {
     $env = array();