In message <200701262135.QAA04542@Sparkle.Rodents.Montreal.QC.CA>,
der Mouse writes:

>> The mountd won't respond to a mount request for /usr unless "alldirs"
>> was specified, but it is true that a "bad guy" could guess/replay a
>> file handle for /usr and go from there.
>
>I think it's actually worse than that; given a file handle for
>/usr/foo/bar/blee, someone not running normal client code could do ..
>lookups to walk up as far as the server will permit (which usually
>means, to the mount point on the server - /usr in this case).
>
>It's been a while since I had my hands dirty with NFS, but I'm pretty
>sure that's how it generally works.

I'm sure that's how the original SunOS 3/4 implementaton works, and
how Rick's 4.4BSD NFS code works.  This is all Well-Known and Implictly
Understood, at least to us old farts who were there at the time.

I have a nagging memory that the in-kernel Linux NFS server does a
permissions check on each RPC, (or at least for each RPC that can
change data).  But even if I'm recalling that much correctly, I don't
recall if Linux checks back to the exported directory or to the
containing mount-point (if they differ, which I think was George's
original observation/question).