When are permissions checked?

The kernel only performs access control checks for an object (file descriptor) when it is initially accessed or created.  Root-only system calls (setuid, etc) are checked each time they are attempted.

Programs can open a privileged resource with enhanced privs, drop those privs, and still access the resource.

Side effects:
Allows better performance
restrictions checked once, not at every read/write, for example

Changing permissions of a file after a bad guys has it open does not prevent his further access to it!