There is a daemon which invokes user service programs (henceforth
`services') in response to requests by callers of a companion client
program (henceforth the `client') and according to rules set forth in
system-wide and user-specific configuration files. The companion
client program is setuid root, and negotiates with the daemon through
an AF_UNIX socket and associated objects in a system-wide
private directory set aside for the purpose. The user who wishes the
service to be performed and calls the client is called the `calling
user'; the process which calls the client is called the `calling
process'.
The daemon and the client are responsible for ensuring that information is safely carried across the security boundary between the two users, and that the processes on either side cannot interact with each other in any unexpected ways.