Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1whmF3-000PfG-2M for pgsql-hackers@arkaria.postgresql.org; Thu, 09 Jul 2026 10:44:30 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1whmF2-00CVK4-0q for pgsql-hackers@arkaria.postgresql.org; Thu, 09 Jul 2026 10:44:28 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1whmF1-00CVJv-2K for pgsql-hackers@lists.postgresql.org; Thu, 09 Jul 2026 10:44:28 +0000 Received: from smtp.outgoing.loopia.se ([93.188.3.37]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1whmEz-00000000Ix9-0FVf for pgsql-hackers@postgresql.org; Thu, 09 Jul 2026 10:44:27 +0000 Received: from s807.loopia.se (localhost [127.0.0.1]) by s807.loopia.se (Postfix) with ESMTP id C0A72627760 for ; Thu, 09 Jul 2026 12:44:20 +0200 (CEST) Received: from s979.loopia.se (unknown [172.22.191.5]) by s807.loopia.se (Postfix) with ESMTP id B2C89629485; Thu, 09 Jul 2026 12:44:20 +0200 (CEST) Received: from localhost (unknown [172.22.191.5]) by s979.loopia.se (Postfix) with ESMTP id B19EE10BC47D; Thu, 09 Jul 2026 12:44:20 +0200 (CEST) X-Virus-Scanned: amavis at amavis.loopia.se X-Spam-Flag: NO X-Spam-Score: -1.2 X-Spam-Level: X-Spam-Status: No, score=-1.2 tagged_above=-999 required=6.2 tests=[ALL_TRUSTED=-1, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1] autolearn=disabled Authentication-Results: s472.loopia.se (amavis); dkim=pass (2048-bit key) header.d=proxel.se Received: from s934.loopia.se ([172.22.191.5]) by localhost (s472.loopia.se [172.22.190.12]) (amavis, port 10024) with UTF8LMTP id WT3T2VyV5868; Thu, 9 Jul 2026 12:44:20 +0200 (CEST) X-Loopia-Auth: user X-Loopia-User: andreas@proxel.se X-Loopia-Originating-IP: 147.28.75.140 Received: from [192.168.0.186] (customer-147-28-75-140.stosn.net [147.28.75.140]) (Authenticated sender: andreas@proxel.se) by s934.loopia.se (Postfix) with ESMTPSA id 1E84D917F04; Thu, 09 Jul 2026 12:44:20 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proxel.se; s=loopiadkim1707418970; t=1783593860; bh=dy0pUJslfnL+LvEP7uPmmgA+hk6JT6Z2cQl7b02JDMM=; h=Date:Subject:To:References:From:In-Reply-To; b=EPISde6VuTiXLE5Bf3d1BugjHTJzTDIEpmEHoSHeO8HAFMldPD4lww+eQCTM1fq9F 9jPzFRhr9ehECCQha0yQ7UleJho0+L3DtbyM5iANW6DOB4nKoyJjUyuOaaFqhadt96 LjSpD9QNZYEnWC+upXGzMH6Co7J+Y0noYBF6Y8kiwvT2HLCgtC5gubfHd3PlerdKTl IUf/aVikZYI7rhiBbtNE/BZBJ3I0O51x05aYtKh/t1snHMzAHR9LTpkLIeFwLIotf3 wKUnnB34bri9rBrep1lRKTpErVN+L5aTIFHpKsip0ulrJ0/AEYiIv2+3r55U+SGGc0 BdA/eqZsM4KCA== Message-ID: <5b0d254b-3c49-43d4-805f-4fa9b13788d0@proxel.se> Date: Thu, 9 Jul 2026 12:44:19 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Rendezvous variables: safe to pass an access token between two extensions? To: vaibhave postgres , pgsql-hackers@postgresql.org References: Content-Language: en-US From: Andreas Karlsson In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 7/9/26 12:36, vaibhave postgres wrote: > Since rendezvous variables are just a global, name-keyed void * with no > notion of who populated the slot, is it safe to pass a sensitive value > (the token) this way? My worry is that another loaded module could > register the same name and receive the token instead of the intended > extension B. > > Is there a supported way to verify the publisher of a rendezvous > variable, or is there a better way to do this? Any prior art would help. As PostgreSQL extensions are not sandboxed and therefore can access the full memory of the backend (including shared memory) I do not think this is really a concern specific to rendezvous variables. If an extension wants to steal an access token it can as it can just grab them form anywhere in the process memory. You need to either audit all extensions you load or trust your packagers and extension authors. If you load extensions you do not trust they can do anything the postgres process can do. -- Andreas Karlsson Percona