diff --git a/src/libpriv/rpmostree-core.c b/src/libpriv/rpmostree-core.c
index eeb9a96c31..7dd375ba86 100644
--- a/src/libpriv/rpmostree-core.c
+++ b/src/libpriv/rpmostree-core.c
@@ -2700,6 +2700,14 @@ apply_rpmfi_overrides (RpmOstreeContext *self,
                        GCancellable  *cancellable,
                        GError       **error)
 {
+  /* In an unprivileged case, we can't do this on the real filesystem. For `ex
+   * container`, we want to completely ignore uid/gid.
+   *
+   * TODO: For non-root `--ex-unified-core` we need to do it as a commit modifier.
+   */
+  if (getuid () != 0)
+    return TRUE;  /* 🔚 Early return */
+
   int i;
   g_auto(rpmfi) fi = NULL;
   gboolean emitted_nonusr_warning = FALSE;
diff --git a/tests/ex-container-tests/test-httpd.sh b/tests/ex-container-tests/test-httpd.sh
new file mode 100755
index 0000000000..0becbf9519
--- /dev/null
+++ b/tests/ex-container-tests/test-httpd.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/bash
+set -xeuo pipefail
+
+cd ${test_tmpdir}
+
+dn=$(cd $(dirname $0) && pwd)
+. ${dn}/../common/libtest-core.sh
+
+cat >httpd.conf <<EOF
+[tree]
+ref=httpd
+packages=httpd;
+repos=fedora;
+EOF
+
+# This one has non-root ownership in some of the dependencies, but we shouldn't
+# try to apply them; see apply_rpmfi_overrides().
+rpm-ostree ex container assemble httpd.conf
+ostree --repo=repo ls httpd /usr/sbin/httpd