== Peeking under mount points with NFS

Normally, one of NFS's irritating features is that when you mount a
filesystem from a server, you don't automatically get access to any
sub-filesystems mounted on that filesystem; you have to know about them
and mount them yourself.

(Yes, yes, some NFS servers offer features to do this for you; such
features have their own problems.)

But there's an old sysadmin trick that turns this into a feature. If you
NFS mount a filesystem, such as _/_, *you can see inside directories
covered up by active mount points*. If you're evil, you can write
things there too. Because this is just NFS, you can do it while the
system is up in regular multiuser mode without having to perturb it.

The usual situations I've wound up needing this are:

* something accidentally scribbles into a 'filesystem' that isn't
  mounted at the time, and it needs to be cleaned up. This usually
  happens either during early boot or during system maintenance when
  I make a mistake and don't notice it until later.
* I need to plant strategic files into the root filesystem to fake
  having a filesystem mounted; for example, I might need a _/var/tmp_
  that still exists before _/var_ is mounted, or need a few device nodes
  to be in _/dev_ before the dynamic _/dev_ filesystem gets mounted.

(The other not to be discounted peculiar sysadmin use for NFS mounts is
that it bypasses all of the usual rootkit infrastructure used to hide
files from user-level programs. Most of those modify either user level
shared libraries or system call entry points, both of which kernel NFS
servers bypass.)