Server Side Access Authorization Description

The exact server side Access Authorization procedures are described in the corresponding protection scheme specification:

Because the Unix file system with (soft and hard) links makes it easy to access a file from another directory than where the file actually resides, server needs to use the unix filesystem protections in its favour. Therefore, the Unix file system must provide the protection between the collaborations using the same machine, and the server sets its process uid and gid according to which set of files are currently served.

Forking and Process uid and gid

The server can be standalone, in which case it forks another copy of itself and after that sets its user and group ids. (Forking is necessary because once a process has set its user-id to something else than root it cannot change back.) If the server is run by inetd (inet daemon) there is no need for forking.

If users in the server machine can be trusted files can have world (or group) read permission, and the server can run as nobody (or with appropriate group id). In this case there is no need to fork even when running standalone.

AL 12 December 1993