| From: | Andreas Karlsson <andreas(at)proxel(dot)se> |
|---|---|
| To: | vaibhave postgres <postgresvaibhave(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Rendezvous variables: safe to pass an access token between two extensions? |
| Date: | 2026-07-09 10:44:19 |
| Message-ID: | 5b0d254b-3c49-43d4-805f-4fa9b13788d0@proxel.se |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 7/9/26 12:36, vaibhave postgres wrote:
> Since rendezvous variables are just a global, name-keyed void * with no
> notion of who populated the slot, is it safe to pass a sensitive value
> (the token) this way? My worry is that another loaded module could
> register the same name and receive the token instead of the intended
> extension B.
>
> Is there a supported way to verify the publisher of a rendezvous
> variable, or is there a better way to do this? Any prior art would help.
As PostgreSQL extensions are not sandboxed and therefore can access the
full memory of the backend (including shared memory) I do not think this
is really a concern specific to rendezvous variables. If an extension
wants to steal an access token it can as it can just grab them form
anywhere in the process memory.
You need to either audit all extensions you load or trust your packagers
and extension authors. If you load extensions you do not trust they can
do anything the postgres process can do.
--
Andreas Karlsson
Percona
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Amit Kapila | 2026-07-09 10:45:17 | Re: Hash index bucket split bug |
| Previous Message | vaibhave postgres | 2026-07-09 10:36:58 | Rendezvous variables: safe to pass an access token between two extensions? |