There was also a horrible bit of backdoor-ism that was exploitable with NFS on SunOS - and was there for at least 4.1.3 but I imagine it was around for a long time. If the /usr filesystem was exported, and you were either a "known host" or it was exported to (everyone) (and yes, there were a LOT of people that did this)... Mount it locally, become root, su - uucp, and go and change the mode on /usr/lib/uucp/uucico (which was owned by uucp) from setuid to writable. Overwrite with your binary or script of choice. Telnet to the exploited host, and /usr/lib/uucp/uucico was executed as root. I usually used: #!/bin/sh /usr/openwin/bin/xterm -display :0 I used this on a WAN back in the 90's - actually to reset a lost root password for someone, but also to poke around sometimes ;) I don't know why people exported /usr - but they did it a lot. On 9/29/2017 2:40 PM, Don Hopkins wrote: > I was able to nfs-mount a directory on one of cs.cmu.edu's servers from sun.com’s network with no problem. Ron may remember me warning him about that! > > -Don > > >