diff --git a/lib/src/containerenv.rs b/lib/src/containerenv.rs
index a79583a2b..4b4956fab 100644
--- a/lib/src/containerenv.rs
+++ b/lib/src/containerenv.rs
@@ -16,6 +16,7 @@ pub(crate) struct ContainerExecutionInfo {
     pub(crate) id: String,
     pub(crate) image: String,
     pub(crate) imageid: String,
+    pub(crate) rootless: Option<String>,
 }
 
 /// Load and parse the `/run/.containerenv` file.
diff --git a/lib/src/install.rs b/lib/src/install.rs
index 25363702d..3376ebe3e 100644
--- a/lib/src/install.rs
+++ b/lib/src/install.rs
@@ -785,6 +785,10 @@ async fn prepare_install(
 
     // This command currently *must* be run inside a privileged container.
     let container_info = crate::containerenv::get_container_execution_info(&rootfs)?;
+    if let Some("1") = container_info.rootless.as_deref() {
+        anyhow::bail!("Cannot install from rootless podman; this command must be run as root");
+    }
+
     let source = SourceInfo::from_container(&container_info)?;
 
     ensure_var()?;