diff --git a/mmdebstrap b/mmdebstrap
index d9b5cee..e0cb17a 100755
--- a/mmdebstrap
+++ b/mmdebstrap
@@ -4939,9 +4939,17 @@ sub main() {
             test_unshare_userns(1);
         }
     } elsif ($options->{mode} eq 'chrootless') {
-        if ($EFFECTIVE_USER_ID == 0) {
-            warning "running chrootless mode as root might damage the host "
-              . "system";
+        if (any { $_ eq 'check/chrootless' } @{ $options->{skip} }) {
+            info "skipping check/chrootless as requested";
+        } else {
+            my $ischroot = 0 == system 'ischroot';
+            if (   $EFFECTIVE_USER_ID == 0
+                && !exists $ENV{FAKEROOTKEY}
+                && !$ischroot) {
+                error
+                  "running chrootless mode as root without fakeroot might "
+                  . "damage the host system if not run inside a chroot";
+            }
         }
     } else {
         error "unknown mode: $options->{mode}";
@@ -7240,6 +7248,8 @@ Upon startup, several checks are carried out, like:
 
 =item * which mode to use and whether prerequisites are met
 
+=item * do not allow chrootless mode as root (without fakeroot) unless inside a chroot. This check can be disabled using B<--skip=check/chrootless>
+
 =item * whether the requested architecture can be executed (requires arch-test) using qemu binfmt_misc support. This requires arch-test and can be disabled using B<--skip=check/qemu>
 
 =item * how the apt sources can be assembled from I<SUITE>, I<MIRROR> and B<--components> and/or from standard input as deb822 or one-line format and whether the required GPG keys exist.
diff --git a/tests/chrootless b/tests/chrootless
index d72e8b8..77490c3 100644
--- a/tests/chrootless
+++ b/tests/chrootless
@@ -8,7 +8,7 @@ trap "rm -f /tmp/chrootless.tar /tmp/root.tar" EXIT INT TERM
 for INCLUDE in '' 'apt' 'apt,build-essential' 'systemd-sysv'; do
 	for MODE in root chrootless; do
 		{{ CMD }} --mode=$MODE --variant={{ VARIANT }} --hook-dir=./hooks/merged-usr \
-			${INCLUDE:+--include="$INCLUDE"} \
+			${INCLUDE:+--include="$INCLUDE"} --skip=check/chrootless \
 			{{ DIST }} "/tmp/$MODE.tar" {{ MIRROR }}
 	done
 	cmp /tmp/root.tar /tmp/chrootless.tar || diffoscope /tmp/root.tar /tmp/chrootless.tar
diff --git a/tests/chrootless-foreign b/tests/chrootless-foreign
index 242699b..03203d0 100644
--- a/tests/chrootless-foreign
+++ b/tests/chrootless-foreign
@@ -45,7 +45,7 @@ for INCLUDE in '' 'apt' 'systemd-sysv'; do
 	arch-test "$arch" && exit 1
 	{{ CMD }} --mode=chrootless --architecture="$arch" --variant={{ VARIANT }} \
 		--hook-dir=./hooks/merged-usr ${INCLUDE:+--include="$INCLUDE"} \
-		{{ DIST }} "/tmp/chrootless.tar" {{ MIRROR }}
+		--skip=check/chrootless {{ DIST }} "/tmp/chrootless.tar" {{ MIRROR }}
 	# when creating a foreign architecture chroot, the tarballs are not
 	# bit-by-bit identical but contain a few remaining differences:
 	#