diff --git a/python/repositories.bzl b/python/repositories.bzl
index b0af316419..09b05fa4ac 100644
--- a/python/repositories.bzl
+++ b/python/repositories.bzl
@@ -108,13 +108,26 @@ def _python_repository_impl(rctx):
         rctx.file(distutils_path, rctx.attr.distutils_content)
 
     # Make the Python installation read-only.
-    if "windows" not in rctx.os.name:
-        exec_result = rctx.execute(["chmod", "-R", "ugo-w", "lib"])
-        if exec_result.return_code:
-            fail_msg = "Failed to make interpreter installation read-only. 'chmod' error msg: {}".format(
-                exec_result.stderr,
-            )
-            fail(fail_msg)
+    if not rctx.attr.ignore_root_user_error:
+        if "windows" not in rctx.os.name:
+            exec_result = rctx.execute(["chmod", "-R", "ugo-w", "lib"])
+            if exec_result.return_code != 0:
+                fail_msg = "Failed to make interpreter installation read-only. 'chmod' error msg: {}".format(
+                    exec_result.stderr,
+                )
+                fail(fail_msg)
+            exec_result = rctx.execute(["touch", "lib/.test"])
+            if exec_result.return_code == 0:
+                exec_result = rctx.execute(["id", "-u"])
+                if exec_result.return_code != 0:
+                    fail("Could not determine current user ID. 'id -u' error msg: {}".format(
+                        exec_result.stderr,
+                    ))
+                uid = int(exec_result.stdout.strip())
+                if uid == 0:
+                    fail("The current user is root, please run as non-root when using the hermetic Python interpreter. See https://github.com/bazelbuild/rules_python/pull/713.")
+                else:
+                    fail("The current user has CAP_DAC_OVERRIDE set, please drop this capability when using the hermetic Python interpreter. See https://github.com/bazelbuild/rules_python/pull/713.")
 
     python_bin = "python.exe" if ("windows" in platform) else "bin/python3"
 
@@ -227,6 +240,11 @@ python_repository = repository_rule(
                   "Either distutils or distutils_content can be specified, but not both.",
             mandatory = False,
         ),
+        "ignore_root_user_error": attr.bool(
+            default = False,
+            doc = "Whether the check for root should be ignored or not. This causes cache misses with .pyc files.",
+            mandatory = False,
+        ),
         "platform": attr.string(
             doc = "The platform name for the Python interpreter tarball.",
             mandatory = True,

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://rainy.clevelandohioweatherforecast.com/php-proxy/index.php?q=https://patch-diff.githubusercontent.com/raw/bazel-contrib/rules_python/pull/749.diff" target="_blank">Alternative Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/index.php?u=https://patch-diff.githubusercontent.com/raw/bazel-contrib/rules_python/pull/749.diff" target="_blank">pFad Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v3index.php?u=https://patch-diff.githubusercontent.com/raw/bazel-contrib/rules_python/pull/749.diff" target="_blank">pFad v3 Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v4index.php?u=https://patch-diff.githubusercontent.com/raw/bazel-contrib/rules_python/pull/749.diff" target="_blank">pFad v4 Proxy</a></p></body>
</html>