> I think it's actually worse than that; given a file handle for
> /usr/foo/bar/blee, someone not running normal client code could do ..
> lookups to walk up as far as the server will permit (which usually
> means, to the mount point on the server - /usr in this case).

Yep, rick. It could do lookups of ".." to get to /usr as well.