diff --git a/.env.example b/.env.example
index 0fc6113..e8f4256 100644
--- a/.env.example
+++ b/.env.example
@@ -36,6 +36,9 @@ VENDOR_SEED_ENABLED=false
 # VENDOR_USER=vendor
 # VENDOR_PASS=change_me
 
+# Docker socket GID (run: stat -c '%g' /var/run/docker.sock)
+# DOCKER_GID=0
+
 # Docker images (override for custom registries)
 # TRAEFIK_IMAGE=gitea.siegeln.net/cameleer/cameleer-traefik
 # POSTGRES_IMAGE=gitea.siegeln.net/cameleer/cameleer-postgres
diff --git a/docker-compose.yml b/docker-compose.yml
index cf6439b..be509fa 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -138,7 +138,7 @@ services:
       - traefik.http.routers.saas.tls=true
       - traefik.http.services.saas.loadbalancer.server.port=8080
     group_add:
-      - "0"
+      - "${DOCKER_GID:-0}"
     networks:
       - cameleer
 
diff --git a/installer/install.sh b/installer/install.sh
index 6324529..792556e 100644
--- a/installer/install.sh
+++ b/installer/install.sh
@@ -649,6 +649,7 @@ TENANT_ORG_NAME=${TENANT_ORG_NAME:-}
 
 # Docker
 DOCKER_SOCKET=${DOCKER_SOCKET}
+DOCKER_GID=$(stat -c '%g' "${DOCKER_SOCKET}" 2>/dev/null || echo "0")
 
 # Provisioning images
 CAMELEER_SAAS_PROVISIONING_SERVERIMAGE=${REGISTRY}/cameleer3-server:${VERSION}
@@ -881,11 +882,16 @@ EOF
     echo "      - ${MONITORING_NETWORK}" >> "$f"
   fi
 
-  cat >> "$f" << 'EOF'
+  # Detect Docker socket GID for container access
+  local docker_gid
+  docker_gid=$(stat -c '%g' "${DOCKER_SOCKET:-/var/run/docker.sock}" 2>/dev/null || echo "0")
+  cat >> "$f" << EOF
     group_add:
-      - "0"
+      - "${docker_gid}"
 
 volumes:
+EOF
+  cat >> "$f" << 'EOF'
   pgdata:
   chdata:
   certs: