How to Fix Docker Permission Denied While Trying to Connect to Daemon Socket
If you have recently installed Docker on a Linux distribution (such as Ubuntu, Debian, or CentOS) and attempt to run your first container using docker run hello-world, you will likely encounter this shell crash:
docker: permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock:
Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/containers/json": dial unix /var/run/docker.sock: connect: permission deniedThis error blocks development pipelines. While prefixing every command with sudo (e.g., sudo docker ps) bypasses the issue, it is a poor developer workflow and introduces security risks.
In this guide, we will analyze why this socket permission error happens, implement the official secure fix, and explain the security implications of managing the Docker daemon.
Why Does this Permission Error Happen?
The Docker system consists of two parts: the Docker CLI (the command line tool you run in your shell) and the Docker Daemon (the background service that manages containers).
To communicate, the CLI connects to a Unix socket file located at /var/run/docker.sock.
By default, this socket file is owned by the root user. The Docker installer also creates a user group named docker and grants read/write permissions of the socket file to that group.
If you run the CLI as a standard user:
- The CLI attempts to read and write to
/var/run/docker.sock. - The operating system blocks the access because your user does not belong to the
dockergroup or possess root privileges. - The connection fails, raising the permission denied message.
The Solution: Add Your User to the Docker Group
To resolve this issue permanently, you must add your current user to the docker group. Follow these command steps:
Step 1: Create the Docker Group
Typically, the group is created during installation. However, verify or create it manually just in case:
sudo groupadd dockerStep 2: Add Your Current User to the Group
Run usermod to append your active user to the docker user group:
sudo usermod -aG docker $USER$USERis an environment variable that automatically resolves to your currently logged-in username.
Step 3: Refresh Your User Session
This is the step where most developers get stuck. If you immediately run docker ps, you will still see the permission denied error. This is because user group modifications only apply when a user starts a new login session.
To apply the changes immediately without rebooting or logging out, run:
newgrp dockerThis command opens a sub-shell with the updated group permissions active. You can now verify that Docker runs without sudo:
docker run hello-worldIf you are connecting to your server via SSH, log out of your terminal session and establish a new SSH connection to refresh the user session completely.
Security Warning: The Docker Group is Equivalent to Root
While adding your user to the docker group is convenient, you must understand the security implications.
The Docker Daemon runs with root privileges on your host operating system. If a user has permission to contact the Docker socket (which members of the docker group do), they can execute containers that mount the host's root directory:
# Security threat example: Mounting host root system inside a container
docker run -it -v /:/host ubuntu:latest bashFrom inside this container, the user has full access to read and modify any file on your host machine (including passwords, configurations, and SSH keys), effectively bypassing all user restrictions.
- Best Practice: Only add trusted developers or automated build users (like Jenkins or GitLab runner agents) to the
dockergroup. On shared multi-user servers, restrict Docker access carefully.
Conclusion
The Docker daemon socket permission error is resolved by adding your Linux user account to the dedicated docker group. By executing sudo usermod -aG docker $USER, refreshing the session using newgrp docker, and avoiding security pitfalls like modifying /var/run/docker.sock file permissions to 777, you can run container commands safely and efficiently.