How to fix Docker permission denied error in Ubuntu

The Docker permission denied error usually happens when Your user account does not have permission to access the Docker daemon socket or certain files and directories required to run containers.

These restrictions exist to prevent unauthorized access to Docker. However, in Ubuntu, they can greatly disrupt the workflow when setting up development environments.

To fix Docker permission denied error, follow these six practical solutions:

1. Modify the user group. Add your user account to the group docker so you can run Docker commands without sudo.
2. Adjust ownership of files and directories. Update ownership of configuration files and mounted volumes to ensure that the Docker engine can read and write data.
3. Check socket permissions. Check the Docker Unix socket permission levels to ensure that the communication channel with the daemon is not blocked.
4. Update script execution permissions. Ensure that commands in the Dockerfile and scripts defined in ENTRYPOINT have execution permission, avoiding failures when starting containers.
5. Configure hardware access. Allow containers to access specific devices, such as USBs or GPUs, when the error is related to hardware permissions.
6. Restart the Docker daemon. Restart the Docker service and your user session to correctly apply all permission and group changes.

Prerequisites

Before fixing the docker permission denied error, make sure your Linux system meets the basic requirements for changing administrative settings.

• Administrative access. You need permissions sudo or access as root to modify user groups and file permissions.
• User group check. Confirm which groups your account belongs to by running the command groups $USER.

Although the instructions in this guide are focused on Ubuntu, they also work on most Debian-based distributions.

1. Add your user to the Docker group

The most common cause of the permission denied error is the user is not part of the group docker.

By default, the Docker daemon runs as a service owned by the root user. Group users only docker can communicate with it without using sudo.

To fix this issue, add your current user to the group docker:

sudo usermod -aG docker $USER

This command updates your user account by adding it ( -the ) to the specified group ( -G ). As a result, your user gets permission to access the Docker daemon socket and execute Docker commands directly.

For the change to take effect, log out and log back into the system.

After signing back in, confirm that the group was applied correctly by running:

id -nG

The output must include docker in the group list.

If you want to test immediately without leaving your session, run:

newgrp docker

This command applies the group change to the current terminal session only.

2. Fix file and directory permissions

If adding your user to the group does not resolve the issue, the problem may be incorrect permissions on configuration files or mounted volumes.

Docker needs read and write access to configuration files — especially the config.json.

First, check the permissions of the local Docker configuration directory:

ls -l ~/.docker/

If the output shows that the files belong to the root instead of your user, change the ownership with the chown command:

sudo chown -R "$USER":"$USER" "$HOME/.docker"

This command recursively changes the directory ownership .docker for your current user.

Then check for possible issues with mounted volumes. When you mount a host directory inside a container, the user inside the container must have permission to read and/or write to that directory.

For example, when starting a container with one volume:

docker run -v ~/data:/app/data ubuntu

Make sure the host directory ~/data have the correct permissions. You can grant read and write access to the user ( u ) with the following chmod command:

chmod u+rw ~/data

This ensures that the user who owns the directory has sufficient permissions to manage the data within the mounted volume.

3. Check Docker socket permissions

The Docker daemon communicates through a Unix socket located at /var/run/docker.sock. If this socket has incorrect permissions, the Docker client will not be able to send commands to the daemon.

To check the current socket permissions, run:

ls -l /var/run/docker.sock

The expected result should look like this:

srw-rw---- 1 root docker 0 Dec 18 10:00 /var/run/docker.sock

This output indicates that the socket belongs to the user root and the group dockerwith read and write permissions for the group. If you see something like this and your user is already part of the group dockerthe socket configuration is correct.

If the group is not “docker” or the permissions are different, no change them manually by running the command “chmod 666 /var/run/docker.sock”.

Especially in production environments, this represents a serious security risk, as it grants full access to the Docker daemon to any user on the system — which is, in practice, equivalent to root-level access to the host.

Instead, the correct approach is to ensure that your user belongs to the group docker. When the Docker daemon starts, it automatically sets the appropriate permissions for the socket.

4. Fix permissions in the Dockerfile or ENTRYPOINT script

The docker permission denied error can also occur inside the container when the script defined as ENTRYPOINT does not have permission to execute.

This issue is common when scripts are copied from systems that do not use Unix permissions, such as Windows, into the Docker build context. In this process, the execute bit may be lost.

When this happens, the container fails to start because it cannot execute the script defined in the instructions ENTRYPOINT or CMD.

To fix, add a statement RUN right after the COPY in the Dockerfile, granting execution permission for the script:

EXECUTE chmod +x /usr/local/bin/entrypoint.sh

This step ensures that the script remains executable regardless of permissions on the host system. It is especially important when creating custom images that rely on init scripts.

5. Grant device access to Docker containers

If a container needs to interact with hardware devices — such as USB, webcam or GPU — you may encounter an error docker permission denied pointing to paths like /dev/ttyUSB0.

By default, containers run in isolation and cannot access host devices. To allow access, explicitly specify the device when starting the container using the flag –device:

docker run --device=/dev/ttyUSB0 minha-imagem

If the container needs broader permissions but not full device access, you can grant Linux-specific capabilities with the flag –cap-add:

docker run --cap-add=SYS_ADMIN minha-imagem

This approach follows the principle of least privilege – that is, granting only the capabilities that the container really needs. Some common features include NET_ADMIN for network configuration and SYS_PTRACE for debugging.

When neither specific devices nor individual capabilities do the trick, there is the option –privileged:

docker run --privileged minha-imagem

This option grants full access to all host devices and disables most of Docker’s isolation mechanisms.

Containers started in this mode can get root-level control over the host. Use –privileged only in local, trusted environments or when there are no safer alternatives.

In production environments, always prefer –device for specific hardware or –cap-add for spot permissions.

6. Restart Docker and test the configuration

After applying changes to user groups or correcting permissions, it is important to restart the Docker service so that the daemon recognizes the new configuration.

Restart Docker with systemctl:

sudo systemctl restart docker

After rebooting, check if the error is resolved by running the default container hello-world without using sudo:

docker run hello-world

If the image is downloaded, the container runs correctly and a welcome message appears in the terminal, the permissions issue has been successfully fixed.

If the error still persists, restart the entire system to ensure that all group and session changes are applied:

sudo reboot

What to learn next in Docker?

Now that your Docker installation works without permission errors, you can work with containers safely and reliably.

Resolving environmental problems, such as docker permission denied, is an essential step in learning Docker. This avoids distractions with configurations and allows you to focus on what really matters: creating, running and deploying applications.

As a next step, it’s worth deepening your understanding of Docker’s core concepts. Our complete Docker tutorial covers fundamental topics such as image management, container lifecycle, use of Docker Compose, data persistence and networking between containers — everything you need to evolve from the basics to more advanced scenarios.

Semua konten website tutorial ini screenah melalui peninjauan menyeluruh sesuai editorial standards and values ​​of WA Affordable Web Design Agency.

Journalist graduated from the Federal University of Bahia and Content Marketing Specialist at WA Affordable Web Design Agency, where I work on creating and optimizing useful, engaging and creative articles in areas such as web development and marketing. Furthermore, I am an occasional contributor to the MacMagazine website and the culture editor of Jornal A Tarde, fascinated by art, cuisine and technology.