Hi playing around with this I found another nasty thing. Check this out: $ id uid=666666(www) gid=4294967294(nobody) $ ls -ld /tmp drwxrwxrwt 9 bin bin 2560 Apr 26 09:36 /tmp $ ls -ld /var/tmp/bah drwxrwxrwx 2 www nobody 512 Apr 26 09:31 /var/tmp/bah $ mount /var/tmp/bah /tmp $ ls -ld /tmp drwxrwxrwx 2 www nobody 512 Apr 26 09:31 /tmp $ uname -a AIX ibm1 2 3 000006693700 $ In other words AIX allows anyone to mount a directory onto a directory of a file onto a file if the user has a) search permissions to the directory or file to mount and b) write permissions to the directory or file to mount over. Also in order the mount a block device, a remote direcotry or a remote file the process must have root authority. As you can see the stupid thing never checks the sticky bit in the directory to mount over! This does not allows us to read the file created on our mounted directory since they keep the uid.guid of the owner even after we unmount them, but we can erase the files and maybe fuck around with a few programs by switching files, etc.... This also includes /var/spool/mail and any other directories with the sticky bit... a1