--- cdrkit/doc/READMEs/README.ATAPI.setup
+++ cdrkit/doc/READMEs/README.ATAPI.setup
@@ -29,7 +29,7 @@ cdrom group ("adduser user cdrom") and let the user completely logout and
 re-login.
 Note: with certain kernel versions wodim can fail with this message:
 "wodim: Operation not permitted. Cannot send SCSI cmd via ioctl"
-In this case it still does need the suid bit - please send patches if you have
+In this case it still does need the SUID bit - please send patches if you have
 identified the reason of that problem.
 
 Kernel 2.4.* (for 2.5/2.6, see above)
@@ -81,7 +81,8 @@ Where we start:
    (read wodim(1), "man 1 wodim", for details)
 
 10. If you wish to allow non-root users to write CDs, you must give them 
-    permissions to do so. Set suid-root permissions on the executable,
+    permissions to do so. Set SUID root permissions on the executable,
     then add your users to the cdrom group ("adduser user cdrom") and
-    let the user completely logout and re-login.
+    let the user completely logout and re-login.  Be sure to refer to
+    README.suidroot to get informed of the security risk.
 
--- cdrkit/doc/READMEs/README.suidroot
+++ cdrkit/doc/READMEs/README.suidroot
@@ -1,29 +1,38 @@
 
-This is an example of how to install wodim and other cdrkit applications to get
-the root permissions in a safer way.
+This is an example of how to install wodim and some other cdrkit applications
+(only those that specifically support this mode of installation!) to get the
+root permissions in a safer way (compared to use of su, sudo, or the like).
 
-Usually it is not a good idea to run the applications as root or to
-give users the means to run wodim as root. This gives them an easy way
+Usually it is not a good idea to give users (including your very own non-root
+account) the means to run wodim as root. This gives them an easy way
 to fetch sensitive data by writing it to the disk, or pass arbitrary
 SCSI commands, e.g. formatting a SCSI disk.
 
 This also applies to root-mode wrappers like sudo, they should be used with
 the most possible care.
 
-The alternative way is installing wodim as suid-root application. In this
+The alternative way is installing wodim as SUID root application. In this
 mode, wodim checks permission of the device access by comparing the ownership
 of the device node user/group attributes for the real UID/GID of the calling
 user.
 
-To give all user access to use wodim, enter:
+To give all users access to use wodim (usually a bad idea!), enter:
 
-   chown root /usr/local/bin/wodim
-   chmod 4711 /usr/local/bin/wodim
+   chown root /usr/bin/wodim
+   chmod 4711 /usr/bin/wodim
 
-To give a restricted group of users access to wodim, add a group
-"cdburners" to your system and add the trusted users to this group.
+To give a restricted group of users access to wodim, at your own risk, add a
+group "cdburners" to your system and add the trusted users to this group.
 Then enter:
 
-   chown root:cdburners /usr/local/bin/wodim
-   chmod 4710 /usr/local/bin/wodim
+   chown root:cdburners /usr/bin/wodim
+   chmod 4710 /usr/bin/wodim
+
+Please note that by "giving access to wodim" as illustrated above, you actually
+permit those user accounts to invoke portions of code in wodim, as well as in
+system libraries, as root.  This allows any one of those users, or whoever
+might have compromised any of the accounts, to mount attacks on potential
+vulnerabilities in those code paths - and potentially obtain root privileges.
+However, compared to use of sudo (or the like), which would run the entire
+wodim program as root, this is a security improvement.
 
--- cdrkit/genisoimage/genisoimage.1
+++ cdrkit/genisoimage/genisoimage.1
@@ -2578,11 +2578,6 @@ combinations of the hide options ...
 .\" ----------------------------------------
 .SH NOTES
 .PP
-.B genisoimage
-may safely be installed suid root. This may be needed to allow
-.B genisoimage
-to read the previous session when creating a multisession image.
-.PP
 If 
 .B genisoimage 
 is creating a filesystem image with Rock Ridge attributes and the
@@ -2594,13 +2589,23 @@ This results in a directory called
 .B RR_MOVED
 in the root directory of the CD. You cannot avoid this directory.
 .PP
-Many boot code options for different platforms are mutualy exclusive because
+Many boot code options for different platforms are mutually exclusive because
 the boot blocks cannot coexist, ie. different platforms share the same data
 locations in the image. See
 http://lists.debian.org/debian-cd/2006/12/msg00109.html for details.
 .\" ----------------------------------------
 .SH BUGS
 .PP
+.B genisoimage
+is not designed to handle untrusted directory trees - that is, those where
+at least one directory entry was previously or is currently under control
+of a potential attacker.
+When
+.B genisoimage
+is used on such a tree, compromise of the account running
+.B genisoimage
+(often root) may result.
+.PP
 Any files that have hard links to files not in the tree being copied to the
 ISO9660 filesystem will have an incorrect file reference count.
 .PP
@@ -2761,7 +2766,8 @@ is derived from
 from the
 .B cdrtools 2.01.01a08
 package from May 2006 (with few updates extracted from cdrtools 2.01.01a24 from
-March 2007) from .IR http://cdrecord.berlios.de/ ,
+March 2007) from
+.IR http://cdrecord.berlios.de/ ,
 but is now part of the
 .B cdrkit
 suite, maintained by Joerg Jaspert, Eduard Bloch, Steve McIntyre, Peter
--- cdrkit/readom/readom.1
+++ cdrkit/readom/readom.1
@@ -360,9 +360,11 @@ login shell.
 .PP
 Unless you want to risk getting problems,
 .B readom
-should be run as root. If you don't want to allow users to become root on your system,
+should be run as root.
+As an option,
 .B readom
-may safely be installed suid root.
+may be installed SUID root
+(at your own risk and restricting access to a trusted group of users).
 For more information see the additional notes of your system/program
 distribution or README.suidroot which is part of the Cdrkit source.
 .PP
--- cdrkit/wodim/wodim.1
+++ cdrkit/wodim/wodim.1
@@ -72,8 +72,9 @@ and
 .PP
 In any case, the user running 
 .B wodim
-needs read and write access to the particular device file on a Linux system. It
-is recommended to be root or install the application as suid-root, because
+needs read and write access to the particular device file on a Linux system.
+It is recommended to be root or install the application as SUID root (at your
+own risk and restricting access to a trusted group of users), because
 certain versions of Linux (kernel) limit the set of SCSI commands allowed for
 non-root users. Even if usage without root identity is possible in many cases,
 some device drivers still may fail, show unexplainable problems and generally
@@ -158,7 +159,7 @@ In order to be able to use the SCSI transport subsystem of the OS, run at highes
 priority and lock itself into core
 .B
 wodim
-either needs to be run as root, needs to be installed suid root or
+either needs to be run as root, needs to be installed SUID root (risky) or
 must be called via
 .B RBACs
 pfexec mechanism.
@@ -2115,7 +2116,7 @@ to create a disk that is entirely made of dummy data.
 .PP
 There are also cases where you either need to be root or install
 .B wodim 
-executable with suid-root permissions. First, if you are using a device
+executable with SUID root permissions (risky). First, if you are using a device
 manufactured before 1999 which requires a non-MMC driver, you should run
 .B wodim
 in dummy mode before writing data. If you find a problem doing this, please
@@ -2132,7 +2133,8 @@ dummy mode and report trouble to the contact address below.
 If you still want to run
 .B wodim
 with root permissions, you can set the permissions of the executable to
-suid-root. See the additional notes of your system/program distribution or
+SUID root (risky).
+See the additional notes of your system/program distribution or
 README.suidroot which is part of the cdrkit source.
 .PP
 You should not connect old drives that do not support