diff --git a/Makefile b/Makefile
index d6c225a..18f2039 100644
--- a/Makefile
+++ b/Makefile
@@ -47,7 +47,7 @@ RELEASE_TAG ?= $(shell git rev-parse --abbrev-ref HEAD)
 RELEASE_SHA ?= $(shell git rev-parse --short HEAD)
 
 DOCKER_SOCKET ?= /var/run/docker.sock
-DOCKER_GROUP_ID ?= $(shell if [[ "$$OSTYPE" == darwin* ]] || [[ "$$OSTYPE" == macos* ]]; then stat -f '%Dg' $(DOCKER_SOCKET) ; else stat -c '%g' $(DOCKER_SOCKET) ; fi)
+DOCKER_GROUP_ID ?= $(shell ls -ln $(DOCKER_SOCKET) | awk '{print $$4}')
 
 # for docker-for-mac, we also add group-id of 50 ("authedusers") as moby seems to auto bind-mount /var/run/docker.sock w/ this ownership
 # @TODO investigate and remove this docker-for-mac kludge
diff --git a/lib.d/v1-runtime.sh b/lib.d/v1-runtime.sh
index b3375c9..2062541 100644
--- a/lib.d/v1-runtime.sh
+++ b/lib.d/v1-runtime.sh
@@ -76,7 +76,7 @@ v1-runtime(){
   DEX_WINDOW_FLAGS=${DEX_WINDOW_FLAGS:-"-v /tmp/.X11-unix:/tmp/.X11-unix -e DISPLAY=unix$DISPLAY"}
 
   [ -z "$__api" ] && \
-    { "$__image did not specify an org.dockerland.dex.api label!" ; exit 1 ; }
+    { echo "$__image did not specify an org.dockerland.dex.api label!" ; exit 1 ; }
 
   # if home is not an absolute path, make relative to $DEX_HOME/homes/
   [ "${DEX_DOCKER_HOME:0:1}" != '/' ] && \
@@ -159,10 +159,13 @@ v1-runtime(){
 
   # map host docker socket and passthru docker vars
   case $(echo "$__host_docker" | awk '{print tolower($0)}') in rw|ro)
-    docker_socket=/var/run/docker.sock
-    docker_group=$(if [[ "$OSTYPE" == darwin* ]] || [[ "$OSTYPE" == macos* ]]; then stat -f '%Dg' $docker_socket ; else stat -c '%g' $docker_socket ; fi)
-    __docker_volumes+=" $docker_socket:/var/run/docker.sock:$__host_docker $DOCKER_CERT_PATH $MACHINE_STORAGE_PATH"
-    __docker_flags+=" --group-add=$docker_group"
+    __docker_socket=${DOCKER_SOCKET:-/var/run/docker.sock}
+    [ -S $__docker_socket ] || {
+      echo "image requests docker, but $__docker_socket is not a valid socket"
+      exit 1
+    }
+    __docker_volumes+=" $__docker_socket:/var/run/docker.sock:$__host_docker $DOCKER_CERT_PATH $MACHINE_STORAGE_PATH"
+    __docker_flags+=" --group-add=$(ls -ln $__docker_socket | awk '{print $4}')"
     __docker_envars+=" DOCKER_* MACHINE_STORAGE_PATH"
   esac