But the mount point is secure, right? Only root has permission to the folder, right?
Unfortunately (for the system administrator), the permission of a mount point is determined by the mount command and permissions of the directories settings of the NAS.
By default, mount keeps the same permissions of the NAS. This means that the directories and files are marked accessible by the root (which is harmless) and the others. Yes, mrgray is one of the other!
As a result, mrgray ends up having read and traverse access to the mount point and all the files and subdirectories. Yep, that’s bad. Because the NAS is used to back up all the other servers, this also means that sensitive data from the other otherwise secure servers is now readable by mrgray.
What can make this even worse is that the back up files may include files of the /root folder and /etc/cron.d. If so, it means that mrgray has access to the cron file that sets up the back up process, and hence access to the user name and password to access the NAS. With that information mrgray can also destroy or poison the back up files in addition to stealing them.