> The mountd won't respond to a mount request for /usr unless "alldirs"
> was specified, but it is true that a "bad guy" could guess/replay a
> file handle for /usr and go from there.

I think it's actually worse than that; given a file handle for
/usr/foo/bar/blee, someone not running normal client code could do ..
lookups to walk up as far as the server will permit (which usually
means, to the mount point on the server - /usr in this case).

It's been a while since I had my hands dirty with NFS, but I'm pretty
sure that's how it generally works.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse@rodents.montreal.qc.ca
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B