diff --git a/functions/main b/functions/main
index cbddd314..1bdc085d 100644
--- a/functions/main
+++ b/functions/main
@@ -65,8 +65,8 @@ hook_setup() {
   fi
 
   if ! [ -d "$target_directory" ] ; then
-    log_error "Hook target directory $target_directory not a directory. Exiting."
-    exit 1
+    log_error "Hook target directory $target_directory not a directory. Creating it."
+    mkdir -p "$target_directory"
   fi
 
   for hook in "${HOOKS}"/* ; do
diff --git a/sbin/ngcpcfg b/sbin/ngcpcfg
index cd794cda..115beee2 100755
--- a/sbin/ngcpcfg
+++ b/sbin/ngcpcfg
@@ -5,37 +5,32 @@
 set -e
 set -u
 
-if [ "$UID" -ne 0 ] ; then
-  printf "Error: ngcpcfg requires root permissions. Exiting.\n" >&2
-  exit 1
-fi
-
-# Notify subprocesses we are running.
-export NGCPCFG_RUNNING=1
-
-# support for testsuite
-FUNCTIONS="${FUNCTIONS:-/usr/share/ngcp-ngcpcfg/functions/}"
-SCRIPTS="${SCRIPTS:-/usr/share/ngcp-ngcpcfg/scripts/}"
-
-if ! [ -r "${FUNCTIONS}/main" ] ; then
-  printf "Error: %s/main could not be read. Exiting.\n" "${FUNCTIONS}" >&2
-  exit 1
-fi
+# helper functions
 
-if [[ "${1:-}" == "decrypt" ]] ; then
-  # do NOT source ${FUNCTIONS}/main but just provide
-  # the part we need for executing ngcpcfg itself
-  log_debug() {
-    if [ -n "${DEBUG:-}" ] ; then
-      logger -t ngcpcfg -- "Debug: $*"
-      echo ; echo "DEBUG: $*" ; echo # newlines to avoid messup with cmdline output
-    fi
-  }
-else
-  . "${FUNCTIONS}"/main
-fi
+ngcpcfg_update_perms() {
+  # Ensure that existing hooks are up2date.
+  hook_setup "${NGCPCTL_MAIN}/.git/hooks"
+
+  # Must be the first command in every 'ngcpcfg' call as git resets POSIX permissions!
+  log_debug 'Generate new .ngcpcfg_perms'
+  if [ -x "${NGCPCTL_MAIN}/.git/hooks/pre-commit" ] ; then
+    "${NGCPCTL_MAIN}/.git/hooks/pre-commit"
+  else
+    log_error "Missing pre-commit hook in '${NGCPCTL_MAIN}/.git/hooks/pre-commit', cannot store permissions, aborting to prevent damage"
+    exit 1
+  fi
+}
 
-# helper functions
+ngcpcfg_restore_perms() {
+  # Must be the last command in every 'ngcpcfg' call as git resets POSIX permissions!
+  trap '' ERR EXIT
+  log_debug "Restore permissions from .ngcpcfg_perms as git might reset them"
+  if [ ! -x "${HELPER}"/restore-permissions ]; then
+    log_error "Missing helper to restore permissions '${HELPER}/restore-permissions'. Exiting."
+    exit 1
+  fi
+  "${HELPER}"/restore-permissions "${NGCPCTL_MAIN}"
+}
 
 action() {
   ACTION="$1"
@@ -103,6 +98,43 @@ version() {
   printf "ngcpcfg, version %s\n" "${versinfo}"
 }
 
+# Main code
+
+if [ "$UID" -ne 0 ] ; then
+  printf "Error: ngcpcfg requires root permissions. Exiting.\n" >&2
+  exit 1
+fi
+
+# Notify subprocesses we are running.
+export NGCPCFG_RUNNING=1
+
+# support for testsuite
+FUNCTIONS="${FUNCTIONS:-/usr/share/ngcp-ngcpcfg/functions/}"
+SCRIPTS="${SCRIPTS:-/usr/share/ngcp-ngcpcfg/scripts/}"
+HELPER="${HELPER:-/usr/share/ngcp-ngcpcfg/helper/}"
+HOOKS="${HOOKS:-/usr/share/ngcp-ngcpcfg/hooks/}"
+
+if ! [ -r "${FUNCTIONS}/main" ] ; then
+  printf "Error: %s/main could not be read. Exiting.\n" "${FUNCTIONS}" >&2
+  exit 1
+fi
+
+if [[ "${1:-}" == "decrypt" ]] ; then
+  # do NOT source ${FUNCTIONS}/main but just provide
+  # the part we need for executing ngcpcfg itself
+  log_debug() {
+    if [ -n "${DEBUG:-}" ] ; then
+      logger -t ngcpcfg -- "Debug: $*"
+      echo ; echo "DEBUG: $*" ; echo # newlines to avoid messup with cmdline output
+    fi
+  }
+else
+  . "${FUNCTIONS}"/main
+fi
+
+ngcpcfg_update_perms
+trap 'ngcpcfg_restore_perms;' ERR EXIT
+
 case ${1:-} in
   apply|\
   build|\