> Here's a little additional information..... the nfs_mount routine does its > work through the vmount() system call, which is documented. If this is a > security hole at all, then it's because it would let an attacker mount a > remote filesystem under his control onto a world-readable directory like ^^^^^^^^ > /tmp or /var/preserve, and thereby grab a copy of everything that was > written to that directory. Anybody want to write a test program? Shouldn't that be writeable? -Proff