diff --git a/scripts/comics b/scripts/comics
index 9f3c571..eff32f5 100755
--- a/scripts/comics
+++ b/scripts/comics
@@ -107,7 +107,7 @@ LONG_OPTIONS=bind:container-image:keep-env,keep-env-modules,keep-prompt,list,nor
 handle_options () {
     if [ "$#" -gt 0 ]; then
 	case "$1" in
-            (-B|--bind) BIND_PATHS+=("$2"); return 2;;
+            (-B|--bind) BIND_PATHS_EXTRA+=("$2"); return 2;;
 	    (-i|--container-image)
                 IMAGE=$2
                 USER_SPECIFIED_IMAGE=true
@@ -165,6 +165,7 @@ BIND_PATHS=(
 /etc/passwd
 /etc/group
 )
+BIND_PATHS_EXTRA=()
 NORC=false
 OLD_START_UP=false
 # by default run bash without --rcfile unless we do the old start style
@@ -274,10 +275,9 @@ if $UPDATE; then
     [[ -d "$sandbox" ]] || abort "Sandbox does not exists: $sandbox"
     local_temp_image=/tmp/${image_name}.new
     [[ -e "$local_temp_image" ]] && rm -- "$local_temp_image"
-    info "Checking sandbox..."
-    singularity check "$sandbox"
     info "Building local temp image at $local_temp_image ..."
-    fakeroot singularity build "$local_temp_image" "$sandbox"
+    info "Need to be root to run build command:"
+    sudo singularity build "$local_temp_image" "$sandbox"
     info "Build done, moving to destination..."
     new_image=${image}.new
     mv -v -- "$local_temp_image" "$new_image"
@@ -289,7 +289,16 @@ if $UPDATE; then
     exit
 fi
 
-for i in "${BIND_PATHS[@]}"; do
+bind_paths=()
+if ! $WRITE && [[ -v BIND_PATHS[@] ]]; then
+    # skip default bind paths for sandboxes (/etc/passwd/group interferes with apt)
+    bind_paths+=("${BIND_PATHS[@]}")
+fi
+if [[ -v BIND_PATHS_EXTRA[@] ]]; then
+    bind_paths+=("${BIND_PATHS_EXTRA[@]}")
+fi
+
+for i in "${bind_paths[@]:-()}"; do
     # assume no colon in pathname
     if [[ -e "${i%%:*}" ]]; then
         SINGULARITY_ARGS+=(-B "$i")