Peeking under mount points with NFS
Normally, one of NFS's irritating features is that when you mount a filesystem from a server, you don't automatically get access to any sub-filesystems mounted on that filesystem; you have to know about them and mount them yourself.
(Yes, yes, some NFS servers offer features to do this for you; such features have their own problems.)
But there's an old sysadmin trick that turns this into a feature. If you
NFS mount a filesystem, such as
/, you can see inside directories
covered up by active mount points. If you're evil, you can write
things there too. Because this is just NFS, you can do it while the
system is up in regular multiuser mode without having to perturb it.
The usual situations I've wound up needing this are:
- something accidentally scribbles into a 'filesystem' that isn't mounted at the time, and it needs to be cleaned up. This usually happens either during early boot or during system maintenance when I make a mistake and don't notice it until later.
- I need to plant strategic files into the root filesystem to fake
having a filesystem mounted; for example, I might need a
/var/tmpthat still exists before
/varis mounted, or need a few device nodes to be in
/devbefore the dynamic
/devfilesystem gets mounted.
(The other not to be discounted peculiar sysadmin use for NFS mounts is that it bypasses all of the usual rootkit infrastructure used to hide files from user-level programs. Most of those modify either user level shared libraries or system call entry points, both of which kernel NFS servers bypass.)