Normally, one of NFS's irritating features is that when you mount a filesystem from a server, you don't automatically get access to any sub-filesystems mounted on that filesystem; you have to know about them and mount them yourself.

(Yes, yes, some NFS servers offer features to do this for you; such features have their own problems.)

But there's an old sysadmin trick that turns this into a feature. If you NFS mount a filesystem, such as /, you can see inside directories covered up by active mount points. If you're evil, you can write things there too. Because this is just NFS, you can do it while the system is up in regular multiuser mode without having to perturb it.

The usual situations I've wound up needing this are:

• something accidentally scribbles into a 'filesystem' that isn't mounted at the time, and it needs to be cleaned up. This usually happens either during early boot or during system maintenance when I make a mistake and don't notice it until later.
• I need to plant strategic files into the root filesystem to fake having a filesystem mounted; for example, I might need a /var/tmp that still exists before /var is mounted, or need a few device nodes to be in /dev before the dynamic /dev filesystem gets mounted.

(The other not to be discounted peculiar sysadmin use for NFS mounts is that it bypasses all of the usual rootkit infrastructure used to hide files from user-level programs. Most of those modify either user level shared libraries or system call entry points, both of which kernel NFS servers bypass.)