Understanding and Fixing Docker Socket Permissions

marouane.laarif94@gmail.com (LAARIF Marouane) — Sun, 13 Jul 2025 13:01:11 +0100

You’re installing Ubuntu server, you get a screen where you can pick “snaps” to install, and like many, you probably opted for the convenient “Docker” checkbox during installation, expecting a smooth, out-of-the-box experience. However, to your surprise, when you tried to run your first Docker command, you were met with a frustrating “permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock” error.

This cryptic message, often followed by Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.48/containers/json": dial unix /var/run/docker.sock: connect: permission denied, indicates that your user doesn’t have the necessary permissions to communicate with the Docker daemon. This leaves you in a bind, unable to use Docker without sudo for every command—which isn’t ideal for workflow or security.

You try to add your user to the “docker” group so you can run docker without sudo. And surprise again, the “docker” group is not created. You create the docker group, add your user to it, and still permission error.

Why did this happen, especially with the Ubuntu installer’s Docker checkbox?

The Ubuntu server installer installs Docker as a Snap package. Snaps are designed for confinement and isolation, meaning they run in a more restricted environment for security. Unlike traditional apt package installations, the Docker Snap does not automatically handle the creation of the docker group or add your user to it due to this confinement model. This leaves you without direct access to the Docker socket, forcing you to use sudo.

Checking and Correcting Docker Socket Permissions

To check if the docker group is created run:

getent group | grep docker

If the result is empty then create the group by running :

sudo groupadd docker

and add your user:

sudo usermod -a -G docker {username}

If your group membership is confirmed, let’s look at the actual permissions of the Docker socket file:

ls -l /var/run/docker.sock

You should typically see something like this:

srw-rw---- 1 root docker 0 Jul  X HH:MM /var/run/docker.sock

Key things to look for:

Ownership: root should be the owner.
Group: docker should be the group.
Permissions: srw-rw---- means:
- s: It’s a socket file.
- rw-: Read and write for the owner (root).
- rw-: Read and write for the group (docker).
- ---: No permissions for others.

If the group is not docker or the permissions are different (e.g., rw-r-----), it might be misconfigured.

If the permissions are wrong, you can fix them:

sudo chown root:docker /var/run/docker.sock
sudo chmod 660 /var/run/docker.sock

Important Note: Some guides suggest sudo chmod 666 /var/run/docker.sock. While this will fix the permission error, it’s a security risk as it gives everyone read/write access to the Docker socket, which is equivalent to giving them root access to your system. Avoid chmod 666 for the Docker socket.

Docker on Marouane LAARIF scribbles

Understanding and Fixing Docker Socket Permissions

Checking and Correcting Docker Socket Permissions