Hi!
I’m trying to fix the permission error on my user (the common error for the users that not are into the docker group), but I think that I’ve some strange settings, because my docker.socket change it’s GID some second after the launch.
I think this because if I ran stat /var/run/docker.sock right after sudo systemctl restart docker.socket i view

  File: /var/run/docker.sock
  Size: 0               Blocks: 0          IO Block: 4096   socket
Device: 0,21    Inode: 7270        Links: 1
Access: (0660/srw-rw----)  Uid: (    0/    root)   Gid: (  991/  docker)
Access: 2025-08-30 14:41:33.477778832 +0200
Modify: 2025-08-30 14:41:33.477778832 +0200
Change: 2025-08-30 14:41:33.509778465 +0200
 Birth: 2025-08-30 14:41:33.477778832 +0200

And after some seconds:

  File: /var/run/docker.sock
  Size: 0               Blocks: 0          IO Block: 4096   socket
Device: 0,21    Inode: 7270        Links: 1
Access: (0660/srw-rw----)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2025-08-30 14:41:55.777522724 +0200
Modify: 2025-08-30 14:41:33.477778832 +0200
Change: 2025-08-30 14:41:38.773718020 +0200
 Birth: 2025-08-30 14:41:33.477778832 +0200

Before messing around with systemd override files, I’ve followed the tips on Post-installation steps | Docker Docs (with log-out & log-in, newgrp docker and also full system restart) with no effects. So I’ve started to dig around and found this strange behavior.

Some references:
output of id, where I see the group 991(docker) for my user:
uid=1000(maurizio) gid=1000(maurizio) groups=1000(maurizio),4(adm),20(dialout),24(cdrom),27(sudo),29(audio),44(video),46(plugdev),60(games),100(users),102(input),105(render),106(netdev),115(lpadmin),991(docker),993(gpio),994(i2c),995(spi)

content of docker.socket override, where I’ve rewrite the SocketGroup (but the default one is also docker…):

### Editing /etc/systemd/system/docker.socket.d/override.conf
### Anything between here and the comment below will become the new contents of the file

[Socket]
SocketGroup=docker

### Lines below this comment will be discarded
### /lib/systemd/system/docker.socket
# [Unit]
# Description=Docker Socket for the API
#
# [Socket]
# # If /var/run is not implemented as a symlink to /run, you may need to
# # specify ListenStream=/var/run/docker.sock instead.
# ListenStream=/run/docker.sock
# SocketMode=0660
# SocketUser=root
# SocketGroup=docker
#
# [Install]
# WantedBy=sockets.target

content of docker.service override where I’ve added the -G parameters:

[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -G docker -H fd:// --containerd=/run/containerd/containerd.sock

During the writing of this post, I realise that I’ve a very old version of Docker (Docker version 20.10.24+dfsg1, build 297e128), so I updated to Docker version 28.3.3, build 980b856 but sadly nothing changed.
OS: Linux krasp 6.6.62+rpt-rpi-v8 #1 SMP PREEMPT Debian 1:6.6.62-1+rpt1 (2024-11-25) aarch64

So… any ideas? Thanks!

After some other tries, I reached my goal with this override in systemd docker.service:

[Service]
ExecStartPost=/bin/chown root:docker /var/run/docker.sock
ExecStartPost=/bin/chmod 0660 /var/run/docker.sock

But I’d like to keep this post open some more time (I kown that is only 19min ago, but I’ve tring from all day ) because I don’t like the solution

Generally, neither the override nor a workaround should be required. By default the docker.sock should be owned by docker:root. Something must be modifying the owner of the pseudo-file.

If you run containers that bind the docker.sock, you might want to check if any of them is responsible for this behavior. Stop them all, make sure the docker.sock is owned by root:docker, then start one of those containers, wait and see if the ownership was changed, if not continue with the next.
.

I would run this command to see what the final values are:

systemctl show docker.socket | grep -i 'SocketUser\|SocketGroup\|SocketMode'

If the change happens only when you restart the socket file, but never if you don’t restart it, I don’t see how any container could change it, but I can imagine some other override files that affect the final group.