Fix: Docker Permission Denied While Trying to Connect to the Docker Daemon Socket

docker linux permissions

The Error

You try to run a Docker command and get:

Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: connect: permission denied

Why This Happens

The Docker daemon runs as root and binds to a Unix socket owned by root. Your user account doesn’t have permission to access this socket.

Fix 1: Add Your User to the Docker Group

This is the most common fix for development machines:

sudo usermod -aG docker $USER

Then log out and log back in (or restart your session):

newgrp docker

Verify it works:

docker ps

Security note: Adding a user to the docker group grants root-equivalent access to the host system through Docker. This is fine for personal development machines, but on shared or production servers, consider Fix 2 (rootless Docker) instead.

Fix 2: Use Rootless Docker (Most Secure)

Rootless Docker runs the daemon and containers entirely under your user account — no root privileges needed at all. This is the recommended approach for security-conscious setups.

Install rootless Docker

dockerd-rootless-setuptool.sh install

If the setup tool is not available, install the prerequisites:

# Ubuntu/Debian
sudo apt install -y uidmap dbus-user-session

# Then run the setup
dockerd-rootless-setuptool.sh install

After installation, add these to your ~/.bashrc or ~/.zshrc:

export PATH=/usr/bin:$PATH
export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/docker.sock

Reload your shell and verify:

source ~/.bashrc
docker ps

Why rootless is better: The standard Docker daemon runs as root, so any container escape gives an attacker root access to the host. Rootless Docker eliminates this risk entirely.

sudo docker ps

This works immediately but you’ll need sudo for every Docker command, and it doesn’t fix the underlying issue.

Fix 4: Fix Socket Permissions (Temporary)

sudo chmod 666 /var/run/docker.sock

Warning: This gives all users on the system read/write access to the Docker socket, which is equivalent to root access. This resets on reboot, but while active, any user or process on the machine can control Docker. Use Fix 1 or Fix 2 instead. For a deeper look at Linux permission errors, see Fix: bash permission denied.

Still Not Working?

Docker daemon is not running

Check if the Docker daemon is actually running. If the daemon isn’t up, you may also see connection refused errors:

sudo systemctl status docker

If it’s not running, start it:

sudo systemctl start docker
sudo systemctl enable docker

Snap-installed Docker (Ubuntu)

If you installed Docker via Snap (sudo snap install docker), the socket path and group behavior differ from the standard installation:

# Check if Docker is a snap
snap list | grep docker

# The socket may be at a different path
ls -la /var/run/docker.sock

For Snap-installed Docker, you may need to add your user to the docker group created by the snap, or switch to the official Docker installation from Docker’s apt repository for better compatibility.

Docker Desktop on Linux

Docker Desktop for Linux uses a different socket path than the standard Docker Engine:

# Docker Desktop uses this socket:
ls -la ~/.docker/desktop/docker.sock

If you have both Docker Engine and Docker Desktop installed, make sure the DOCKER_HOST environment variable points to the correct socket.

WSL2 on Windows

If you’re using Docker Desktop with WSL2 integration:

  1. Open Docker Desktop settings
  2. Go to Resources > WSL Integration
  3. Enable integration for your WSL2 distro
  4. Restart your WSL2 terminal

If the error persists in WSL2, try:

# Check if Docker socket is accessible
ls -la /var/run/docker.sock

Docker Desktop should create this socket automatically when WSL integration is enabled.

SELinux or AppArmor blocking access

On systems with SELinux (Fedora, RHEL, CentOS) or AppArmor (Ubuntu), security policies may block Docker socket access even when you’re in the docker group:

# Check SELinux denials
sudo ausearch -m avc -ts recent | grep docker

# Temporarily set SELinux to permissive to test
sudo setenforce 0
docker ps  # if this works, SELinux was blocking it
sudo setenforce 1  # re-enable

For a permanent SELinux fix, you’ll need to create a proper policy module or ensure Docker’s SELinux integration is correctly installed.

Related: If you’re getting permission errors with npm instead of Docker, see Fix: EACCES permission denied when installing npm packages globally.

Related Articles

Fix: Docker Volume Permission Denied – Cannot Write to Mounted Volume

How to fix Docker permission denied errors on mounted volumes caused by UID/GID mismatch, read-only mounts, or SELinux labels.

Fix: E: Unable to locate package (apt-get install on Ubuntu/Debian)

How to fix the 'E: Unable to locate package' error in apt-get on Ubuntu and Debian, including apt update, missing repos, Docker images, PPA issues, and EOL releases.

Fix: Docker no space left on device (build, pull, or run)

How to fix the 'no space left on device' error in Docker when building images, pulling layers, or running containers, with cleanup and prevention strategies.

Fix: SSL certificate problem: unable to get local issuer certificate

How to fix 'SSL certificate problem: unable to get local issuer certificate', 'CERT_HAS_EXPIRED', 'ERR_CERT_AUTHORITY_INVALID', and 'self signed certificate in certificate chain' errors in Git, curl, Node.js, Python, Docker, and more. Covers CA certificates, corporate proxies, Let's Encrypt, certificate chains, and self-signed certs.