Re: Rendezvous variables: safe to pass an access token between two extensions?

From: Andreas Karlsson <andreas(at)proxel(dot)se>
To: vaibhave postgres <postgresvaibhave(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: Rendezvous variables: safe to pass an access token between two extensions?
Date: 2026-07-09 10:44:19
Message-ID: 5b0d254b-3c49-43d4-805f-4fa9b13788d0@proxel.se
Views: Whole Thread | Raw Message | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On 7/9/26 12:36, vaibhave postgres wrote:
> Since rendezvous variables are just a global, name-keyed void * with no
> notion of who populated the slot, is it safe to pass a sensitive value
> (the token) this way? My worry is that another loaded module could
> register the same name and receive the token instead of the intended
> extension B.
>
> Is there a supported way to verify the publisher of a rendezvous
> variable, or is there a better way to do this? Any prior art would help.

As PostgreSQL extensions are not sandboxed and therefore can access the
full memory of the backend (including shared memory) I do not think this
is really a concern specific to rendezvous variables. If an extension
wants to steal an access token it can as it can just grab them form
anywhere in the process memory.

You need to either audit all extensions you load or trust your packagers
and extension authors. If you load extensions you do not trust they can
do anything the postgres process can do.

--
Andreas Karlsson
Percona

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Amit Kapila 2026-07-09 10:45:17 Re: Hash index bucket split bug
Previous Message vaibhave postgres 2026-07-09 10:36:58 Rendezvous variables: safe to pass an access token between two extensions?