I have a Pimcore project root folder which is recursively owned by www-data:www-data.
If I use sudo composer update, everything works fine, but many files will be set with root owner, which might cause further problems.
If I use sudo -u www-data composer update, I get a RuntimeException:
file_get_contents(/home/me/.composer/config.json): failed to open stream: Permission denied
If I use sudo -u me composer update, at some point, I get another RuntimeException:
An error occurred when executing the "'cache:clear --no-warmup'" command:
Fatal error: Uncaught RuntimeException: Unable to write in the cache directory (/var/www/html/pimcore/skeleton/var/cache/dev)
If I change ownership of the root folder to me:www-data, then I get RuntimeException error because some folders are not writable for the group www-data, like this folder /var/www/html/pimcore/skeleton/var/cache/dev/twig which permissions are set to drwxr-xr-x.
By which user:group should my root folder owned by and how should I run composer update?
It's better if you do not run composer as root.
Besides that, it's not particularly important which user do you use to run composer. As long as it has enough permissions to write on your project files (typically only on vendor, bin, var, and public; although it might need to write on different directories depending on the type of project.
Since you already run composer as root, it seems that /home/me/.composer/config.json has been created with root ownership, which is bringing you additional problems. Just sudo chown that file so it can be read by your own user.
Set the project so all the files belong to your (non-elevated privileges) user, and after running install fix the permissions as recommended in the documentation: