#Sudo Permissions

Hey Krill, I ran an openclaw update with sudo and it broke permissions. how do i fix it ?

Don’t run OpenClaw with sudo — it can leave ~/.openclaw files owned by root.

First, please paste:

openclaw --version

Quick fix to try:

openclaw gateway stop

sudo chown -R "$(id -u):$(id -g)" "$HOME/.openclaw"
chmod 700 "$HOME/.openclaw"
[ -f "$HOME/.openclaw/openclaw.json" ] && chmod 600 "$HOME/.openclaw/openclaw.json"

openclaw doctor --fix
openclaw gateway restart
openclaw status --all

If openclaw update partially broke the install itself, recover without sudo:

curl -fsSL https://openclaw.ai/install.sh | bash -s -- --install-method npm --no-onboard
openclaw doctor --fix

Docs: https://docs.openclaw.ai/install/updating and https://docs.openclaw.ai/gateway/doctor

Important: don’t chown -R /usr, /opt/homebrew, or your whole home folder. Only fix ~/.openclaw unless we confirm your npm prefix is user-local.

Gateway restart attempts (tail): /Users/simmonsai/.openclaw/logs/gateway-restart.log
[2026-04-25T02:35:48Z] openclaw restart attempt source=launchd-handoff mode=kickstart target=gui/501/ai.openclaw.gateway waitPid=47987
[2026-04-25T02:35:48Z] openclaw restart done source=launchd-handoff mode=kickstart
[2026-04-27T04:44:36Z] openclaw restart attempt source=update target=ai.openclaw.gateway
[2026-04-27T04:44:36Z] openclaw restart done source=update
[2026-04-27T05:00:18Z] openclaw restart attempt source=update target=ai.openclaw.gateway
[2026-04-27T05:00:19Z] openclaw restart done source=update
[2026-04-27T05:08:37Z] openclaw restart attempt source=launchd-handoff mode=kickstart target=gui/501/ai.openclaw.gateway waitPid=99960
[2026-04-27T05:08:37Z] openclaw restart done source=launchd-handoff mode=kickstart
[2026-04-27T22:24:46Z] openclaw restart attempt source=launchd-handoff mode=kickstart target=gui/501/ai.openclaw.gateway waitPid=34668
[2026-04-27T22:24:46Z] openclaw restart done source=launchd-handoff mode=kickstart
[2026-04-28T00:15:11Z] openclaw restart attempt source=launchd-handoff mode=kickstart target=gui/501/ai.openclaw.gateway waitPid=36778
[2026-04-28T00:15:11Z] openclaw restart done source=launchd-handoff mode=kickstart
[2026-04-28T01:33:19Z] openclaw restart attempt source=launchd-handoff mode=kickstart target=gui/501/ai.openclaw.gateway waitPid=38295
[2026-04-28T01:33:20Z] openclaw restart done source=launchd-handoff mode=kickstart
! Channel issues skipped (gateway unreachable)

That tail only says launchd tried to restart it — not that the gateway actually booted. Since it says “gateway unreachable”, I’d repair ownership, reinstall the per-user LaunchAgent, then check the real error log.

Run these as your normal user, not sudo:

openclaw --version
which openclaw

# fix root-owned OpenClaw state from the sudo update
sudo chown -R "$(id -un):$(id -gn)" "$HOME/.openclaw"
sudo chown "$(id -un):$(id -gn)" "$HOME/Library/LaunchAgents/ai.openclaw.gateway.plist" 2>/dev/null || true
chmod 700 "$HOME/.openclaw"
[ -f "$HOME/.openclaw/openclaw.json" ] && chmod 600 "$HOME/.openclaw/openclaw.json"

# repair state/service metadata
openclaw doctor --fix

openclaw gateway install --force
openclaw gateway restart
openclaw gateway status --deep

If it’s still unreachable, paste this next — this is the useful bit:

tail -120 "$HOME/.openclaw/logs/gateway.err.log"
tail -120 "$HOME/.openclaw/logs/gateway.log"

And yep: avoid sudo openclaw update going forward. If npm/global install complains about permissions, use the installer/local prefix path instead of sudo. Docs: https://docs.openclaw.ai/install/updating and https://docs.openclaw.ai/gateway/troubleshooting

Service: LaunchAgent (loaded)
File logs: /tmp/openclaw/openclaw-2026-04-28.log
Command: /opt/homebrew/opt/node/bin/node /opt/homebrew/lib/node_modules/openclaw/dist/index.js gateway --port 18789
Service file: ~/Library/LaunchAgents/ai.openclaw.gateway.plist
Working dir: ~/.openclaw
Service env: OPENCLAW_GATEWAY_PORT=18789

Config (cli): ~/.openclaw/openclaw.json
Config (service): ~/.openclaw/openclaw.json

Gateway: bind=loopback (127.0.0.1), port=18789 (service args)
Probe target: ws://127.0.0.1:18789
Dashboard: http://127.0.0.1:18789/
Probe note: Loopback-only gateway; only local clients can connect.

Runtime: running (pid 61522, state active)
Warm-up: launch agents can take a few seconds. Try again shortly.
Connectivity probe: failed
Probe target: ws://127.0.0.1:18789
timeout
Capability: unknown

Port 18789 is already in use.

• pid 61522 simmonsai: openclaw-gateway (127.0.0.1:18789)
• Gateway already running locally. Stop it (openclaw gateway stop) or use a different port.
  Listening: 127.0.0.1:18789
  Other gateway-like services detected (best effort):
• ai.openclaw.obsidian-daily-note (user, plist: /Users/simmonsai/Library/LaunchAgents/ai.openclaw.obsidian-daily-note.plist)
• ai.parlay.parlayai (user, plist: /Users/simmonsai/Library/LaunchAgents/ai.parlay.parlayai.plist)
  Cleanup hint: launchctl bootout gui/$UID/ai.openclaw.gateway
  Cleanup hint: rm ~/Library/LaunchAgents/ai.openclaw.gateway.plist

Recommendation: run a single gateway per machine for most setups. One gateway supports multiple agents (see docs: /gateway#multiple-gateways-same-host).
If you need multiple gateways (e.g., a rescue bot on the same host), isolate ports + config/state (see docs: /gateway#multiple-gateways-same-host).

That output means: launchd has a gateway process, and it owns port 18789, but the WebSocket probe is timing out. So the “port already in use” is probably the stuck gateway itself, not necessarily a second gateway.

First paste version if you haven’t yet:

openclaw --version

Then grab the real startup error:

tail -160 /tmp/openclaw/openclaw-2026-04-28.log
tail -120 "$HOME/.openclaw/logs/gateway.err.log" 2>/dev/null

If the log is just stuck/no useful error, do a hard reset of only the main OpenClaw LaunchAgent:

launchctl bootout "gui/$UID/ai.openclaw.gateway" 2>/dev/null || true
kill 61522 2>/dev/null || true

sudo chown -R "$(id -un):$(id -gn)" "$HOME/.openclaw"
chmod 700 "$HOME/.openclaw"
[ -f "$HOME/.openclaw/openclaw.json" ] && chmod 600 "$HOME/.openclaw/openclaw.json"

openclaw doctor --fix
openclaw gateway install --force
openclaw gateway restart
openclaw gateway status --deep

Don’t remove the obsidian-daily-note or parlay LaunchAgents from that output — they’re separate. Only touch ai.openclaw.gateway here.

Service: LaunchAgent (loaded)
File logs: /tmp/openclaw/openclaw-2026-04-28.log
Command: /opt/homebrew/opt/node/bin/node /opt/homebrew/lib/node_modules/openclaw/dist/index.js gateway --port 18789
Service file: ~/Library/LaunchAgents/ai.openclaw.gateway.plist
Working dir: ~/.openclaw
Service env: OPENCLAW_GATEWAY_PORT=18789

Config (cli): ~/.openclaw/openclaw.json
Config (service): ~/.openclaw/openclaw.json

Gateway: bind=loopback (127.0.0.1), port=18789 (service args)
Probe target: ws://127.0.0.1:18789
Dashboard: http://127.0.0.1:18789/
Probe note: Loopback-only gateway; only local clients can connect.

Runtime: running (pid 61912, state active)
Warm-up: launch agents can take a few seconds. Try again shortly.
Connectivity probe: failed
Probe target: ws://127.0.0.1:18789
timeout
Capability: unknown

Port 18789 is already in use.

• pid 61912 simmonsai: openclaw-gateway (127.0.0.1:18789)
• Gateway already running locally. Stop it (openclaw gateway stop) or use a different port.
  Listening: 127.0.0.1:18789
  Other gateway-like services detected (best effort):
• ai.openclaw.obsidian-daily-note (user, plist: /Users/simmonsai/Library/LaunchAgents/ai.openclaw.obsidian-daily-note.plist)
• ai.parlay.parlayai (user, plist: /Users/simmonsai/Library/LaunchAgents/ai.parlay.parlayai.plist)
  Cleanup hint: launchctl bootout gui/$UID/ai.openclaw.gateway
  Cleanup hint: rm ~/Library/LaunchAgents/ai.openclaw.gateway.plist

Recommendation: run a single gateway per machine for most setups. One gateway supports multiple agents (see docs: /gateway#multiple-gateways-same-host).
If you need multiple gateways (e.g., a rescue bot on the same host), isolate ports + config/state (see docs: /gateway#multiple-gateways-same-host).

That’s the same status again — useful clue though: the PID changed, so restart is happening, but the new gateway still binds 18789 and then doesn’t answer. Next step is logs or foreground run, not more status.

Please paste:

openclaw --version
tail -180 /tmp/openclaw/openclaw-2026-04-28.log
tail -120 "$HOME/.openclaw/logs/gateway.err.log" 2>/dev/null

If those logs are empty/useless, run it in foreground so we can see the actual startup failure:

launchctl bootout "gui/$UID/ai.openclaw.gateway" 2>/dev/null || true

PID="$(lsof -nP -tiTCP:18789 -sTCP:LISTEN)"

[ -n "$PID" ] && kill "$PID"

OPENCLAW_LOG_LEVEL=debug openclaw gateway run --port 18789

Leave that terminal open and paste the first error/stack trace it prints. Press Ctrl-C afterward. This will tell us whether it’s still permissions, a broken package from the sudo update, or something hanging during gateway startup.

18:25:51 [gateway] loading configuration…
18:25:51 [gateway] resolving authentication…
18:25:51 [gateway] starting...
18:25:53 [gateway] starting HTTP server...
18:25:53 [canvas] host mounted at http://127.0.0.1:18789/__openclaw__/canvas/ (root /Users/simmonsai/.openclaw/canvas)
18:25:53 [plugins] bonjour: starting (hostname=open-claw-2, instance="open-claw (OpenClaw)", gatewayPort=18789, minimal=true)
18:25:53 [health-monitor] started (interval: 300s, startup-grace: 60s, channel-connect-grace: 120s)
18:25:53 [gateway] agent model: minimax/MiniMax-M2.7-highspeed
18:25:53 [gateway] http server listening (9 plugins: acpx, bluebubbles, bonjour, browser, device-pair, discord, memory-core, phone-control, talk-voice; 2.6s)
18:25:53 [gateway] log file: /tmp/openclaw/openclaw-2026-04-28.log
18:25:53 [gateway] security warning: dangerous config flags enabled: gateway.controlUi.allowInsecureAuth=true. Run openclaw security audit.
18:25:53 [gateway] starting channels and sidecars...
18:25:57 [codex/catalog] codex model discovery failed; using fallback catalog
18:26:20 [bluebubbles] [default] starting provider (webhook=/bluebubbles-webhook)
18:26:20 [plugins] bonjour: watchdog detected non-announced service; attempting re-advertise (gateway fqdn=open-claw (OpenClaw)._openclaw-gw._tcp.local. host=open-claw-2.local. port=18789 state=probing)
18:26:24 [plugins] bonjour: advertised gateway fqdn=open-claw (OpenClaw)._openclaw-gw._tcp.local. host=open-claw-2.local. port=18789 state=announcing
18:26:24 [discord] [default] starting provider
18:26:24 [model-pricing] OpenRouter pricing fetch failed: TypeError: fetch failed
18:26:24 [plugins] embedded acpx runtime backend registered (cwd: /Users/simmonsai/.openclaw/workspace)
18:26:24 [browser/server] Browser control listening on http://127.0.0.1:18791/ (auth=token)
18:26:24 [gateway] ready
18:26:24 [heartbeat] started
18:26:24 [plugins] [hooks] running gateway_start (1 handlers)
18:26:24 [discord] channels resolved: 1487309801305280576 (guild:Personal Server; aliases:guild:1487309801305280576)
18:26:24 [discord] channel users resolved: 119881810195906560
18:26:24 [bluebubbles] [default] BlueBubbles server macOS 26.3.0
18:26:24 [bluebubbles] [default] BlueBubbles Private API enabled
18:26:24 [bluebubbles] [default] BlueBubbles webhook listening on /bluebubbles-webhook
18:26:24 [bluebubbles] [default] BlueBubbles catchup: replayed=0 skipped_fromMe=0 skipped_preCursor=0 skipped_givenUp=0 failed=0 given_up=0 fetched=0 window_ms=260005

Nice — that log actually looks healthy. It reaches:

[gateway] ready
[heartbeat] started

So the permission damage is probably repaired now. The earlier Connectivity probe: timeout may just have been during the slow startup window — BlueBubbles/sidecars took ~30s before the gateway declared ready.

If this is still running in the foreground, do this:

# stop the foreground gateway with Ctrl-C first

openclaw gateway install --force
openclaw gateway restart

# wait ~45 seconds, then:
openclaw gateway status --deep
openclaw status --all

The codex model discovery failed and OpenRouter pricing fetch failed lines are non-fatal. The one thing I’d clean up later is:

gateway.controlUi.allowInsecureAuth=true

Run:

openclaw security audit

If status --deep is good now, you’re back. If it still times out after [gateway] ready, paste that status output plus openclaw --version.

OpenClaw 2026.4.26 (be8c246)

Yep, 2026.4.26 is the current published stable, so you’re not on some ancient broken build.

Given your log hit [gateway] ready, I’d call the permissions part mostly fixed. Do this cleanup path now:

# if foreground gateway is still running, Ctrl-C it first

openclaw gateway install --force
openclaw gateway restart

sleep 45
openclaw gateway status --deep
openclaw status --all

If it still says Connectivity probe: timeout but the log shows [gateway] ready and Discord/BlueBubbles work, that’s likely a status/probe false-negative in this release rather than a dead gateway.

If everything works now, please mark the solution so it gets indexed for future users:

right-click the solution message → Apps → ✅ Mark Solution 🦐

simmonsai@open-claw-2 ~ % openclaw gateway install --force
openclaw gateway restart
Installed LaunchAgent: /Users/simmonsai/Library/LaunchAgents/ai.openclaw.gateway.plist
Logs: /Users/simmonsai/.openclaw/logs/gateway.log
Restarted LaunchAgent: gui/501/ai.openclaw.gateway
Found stale gateway process(es): 62105.
Stopping stale process(es) and retrying restart...
Restarted LaunchAgent: gui/501/ai.openclaw.gateway
simmonsai@open-claw-2 ~ % openclaw gateway status --deep
openclaw status --all
Service: LaunchAgent (loaded)
File logs: /tmp/openclaw/openclaw-2026-04-28.log
Command: /opt/homebrew/opt/node/bin/node /opt/homebrew/lib/node_modules/openclaw/dist/index.js gateway --port 18789
Service file: ~/Library/LaunchAgents/ai.openclaw.gateway.plist
Working dir: ~/.openclaw
Service env: OPENCLAW_GATEWAY_PORT=18789
Listening: 127.0.0.1:18789
Other gateway-like services detected (best effort):
ai.openclaw.obsidian-daily-note (user, plist: /Users/simmonsai/Library/LaunchAgents/ai.openclaw.obsidian-daily-note.plist)
ai.parlay.parlayai (user, plist: /Users/simmonsai/Library/LaunchAgents/ai.parlay.parlayai.plist)
Cleanup hint: launchctl bootout gui/$UID/ai.openclaw.gateway
Cleanup hint: rm ~/Library/LaunchAgents/ai.openclaw.gateway.plist
Gateway last log line:
2026-04-28T18:32:16.554-05:00 [plugins] bonjour: disabling advertiser after 3 failed restarts (service stuck in unannounced for 10002ms (gateway fqdn=open-claw (OpenClaw)._openclaw-gw._tcp.local. host=open-claw-2.local. port=18789 state=unannounced)); set discovery.mdns.mode="off" or OPENCLAW_DISABLE_BONJOUR=1 to disable mDNS discovery
! Port 18789
Port 18789 is already in use.

pid 64065 simmonsai: openclaw-gateway (127.0.0.1:18789)
Gateway already running locally. Stop it (openclaw gateway stop) or use a different port.
! Tailscale exposure: off · daemon unknown
✓ Skills: 22 eligible · 0 missing · /Users/simmonsai/.openclaw/workspace
✓ Plugin compatibility (none)

This is progress — the bad stale process got cleaned up:

Found stale gateway process(es): 62105.
Stopping stale process(es) and retrying restart...

Now the remaining scary-looking bit is mostly Bonjour/mDNS discovery, not the gateway itself:

bonjour: disabling advertiser after 3 failed restarts

That only affects LAN auto-discovery for apps/nodes. If you don’t need Bonjour discovery, turn it off and restart:

openclaw config set discovery.mdns.mode off
openclaw gateway restart

sleep 45
openclaw gateway status --deep

The Port 18789 is already in use line is okay if the PID is openclaw-gateway — that’s your actual gateway listening. It’s only a problem if some other process owns the port.

After disabling Bonjour, check whether the real stuff works:

open http://127.0.0.1:18789/
openclaw status --all