Hi,
our SIEM system complains about lowerdir too open permission:

...
-rw-rw-rw- 1 root root 492 Jan 11 13:07 /var/lib/docker/overlay2/06d3fb3b4577a82e800300868e3d107c799c5510fefa4d46cd43b5f5ee3578e0-init/lower
-rw-rw-rw- 1 root root 521 Jan 11 13:05 /var/lib/docker/overlay2/115142d8202aef6128ac888f6af66695c72321e44fc7b0c2729a9783a9fe67ff-init/lower
-rw-rw-rw- 1 root root 115 Jan 11 13:05 /var/lib/docker/overlay2/12c539a63c8f3d491be1c7f9f7e697cc8586049ea660e29bf1844b9c181b2438-init/lower
...

This can be seen on:
OS: Debian 12 Bookworm
Package: docker-ce 5:24.0.7-1~debian.12~bookworm amd64

Server with OS package docker.io 20.10.24+dfsg1-1+b3 has permissions

...
-rw-r--r-- 1 root root 666 Jan 10 15:43 /var/lib/docker/overlay2/e27c7f2dfaa0b05ddc1b722b88288d29f52ddda0949aaae9b19c87e2fe8478e1-init/lower
-rw-r--r-- 1 root root 666 Jan 15 10:23 /var/lib/docker/overlay2/e59c3e714cd98548e467793cf45054acfa8776a24d64577078f17856b27614b8-init/lower
-rw-r--r-- 1 root root 666 Jan  4 14:54 /var/lib/docker/overlay2/e68b63d069388f96a7ac3800358648eb03cd26ba45a118721cd631510c202bc6-init/lower
...

Is there way to limit them to -rw-r--r-- with CE packages as well?

Interesting. I don’t know why that difference is, but I see the same on Docker CE 24.0. It is not bcause of the package. Usually docker-ce is recommended and not docker.io.

You could search for similar issues here:

Or open a new issue. I don’t know if it is normal or a bug.