diff --git a/lib/src/globals.rs b/lib/src/globals.rs
index 228e2a68..0f2dbc22 100644
--- a/lib/src/globals.rs
+++ b/lib/src/globals.rs
@@ -9,11 +9,12 @@ use std::path::{Path, PathBuf};
 struct ConfigPaths {
     persistent: PathBuf,
     runtime: PathBuf,
+    system: Option<PathBuf>,
 }
 
 /// Get the runtime and persistent config directories.  In the system (root) case, these
-/// system(root) case:  /run/ostree           /etc/ostree
-/// user(nonroot) case: /run/user/$uid/ostree ~/.config/ostree
+/// system(root) case:  /run/ostree           /etc/ostree        /usr/lib/ostree
+/// user(nonroot) case: /run/user/$uid/ostree ~/.config/ostree   <none>
 fn get_config_paths() -> &'static ConfigPaths {
     static PATHS: OnceCell<ConfigPaths> = OnceCell::new();
     PATHS.get_or_init(|| {
@@ -21,16 +22,21 @@ fn get_config_paths() -> &'static ConfigPaths {
             ConfigPaths {
                 persistent: PathBuf::from("/etc"),
                 runtime: PathBuf::from("/run"),
+                system: PathBuf::from("/usr/lib").into(),
             }
         } else {
             ConfigPaths {
                 persistent: glib::user_config_dir(),
                 runtime: glib::user_runtime_dir(),
+                system: None,
             }
         };
         let path = "ostree";
         r.persistent.push(path);
         r.runtime.push(path);
+        if let Some(system) = r.system.as_mut() {
+            system.push(path);
+        }
         r
     })
 }
@@ -49,6 +55,12 @@ impl ConfigPaths {
         if let Some(f) = crate::container_utils::open_optional(&persistent)? {
             return Ok(Some((persistent, f)));
         }
+        if let Some(mut system) = self.system.clone() {
+            system.push(p);
+            if let Some(f) = crate::container_utils::open_optional(&system)? {
+                return Ok(Some((system, f)));
+            }
+        }
         Ok(None)
     }
 }
diff --git a/man/ostree-container-auth.md b/man/ostree-container-auth.md
index f9b967ed..234f4995 100644
--- a/man/ostree-container-auth.md
+++ b/man/ostree-container-auth.md
@@ -9,7 +9,8 @@ The OSTree container stack uses the same file formats as **containers-auth(5)**
 not the same locations.
 
 When running as uid 0 (root), the tooling uses `/etc/ostree/auth.json` first, then looks
-in `/run/ostree/auth.json`.  For any other uid, the file paths used are in `${XDG_RUNTIME_DIR}/ostree/auth.json`.
+in `/run/ostree/auth.json`, and finally checks `/usr/lib/ostree/auth.json`.
+For any other uid, the file paths used are in `${XDG_RUNTIME_DIR}/ostree/auth.json`.
 
 In the future, it is likely that a path that is supported for both "system podman"
 usage and ostree will be added.