I'm having trouble understanding POSIX permissions, specifically setgid(2). I understand that setuid(2) changes the user ID of the calling process so that it takes on the privileges of the new user. This makes sense, because a user only has a single UID, so a process may only have a single UID as well.
What I don't understand is why can a process only have a single GID? After all, a user can be a member of any number of groups, so what determines which GID the process runs as? I realize that every user has a "primary" GID, and that is the GID that processes run by the user will take on by default. But what if the application has to access a file that belongs to a group other than the user's primary group (and therefore, the process's GID)? Is it the application's responsibility to attempt to setgid to match the file's GID? Or will the kernel simply check to see if the UID of the process is a user who is a member of the group the file belongs to, and allow or deny access according to the file's group permissions? In the latter case, it seems that setgid would not be needed.
For example: I am a member of group "adm" but my primary group is "griffin". Somehow, I'm still able to cat files in the "adm" group. Is cat using setgid to change its GID to "adm" before accessing the files? Or is the kernel checking that user "griffin" is a member of "adm" before returning a file descriptor (in this case, setgid is not needed)? How is a process's GID fundamentally different from having a UID of a user who is a member of the desired group?
Any clarification on this subject is greatly appreciated.