public inbox for [email protected]  
help / color / mirror / Atom feed
Rendezvous variables: safe to pass an access token between two extensions?
2+ messages / 2 participants
[nested] [flat]

* Rendezvous variables: safe to pass an access token between two extensions?
@ 2026-07-09 10:36 vaibhave postgres <[email protected]>
  2026-07-09 10:44 ` Re: Rendezvous variables: safe to pass an access token between two extensions? Andreas Karlsson <[email protected]>
  0 siblings, 1 reply; 2+ messages in thread

From: vaibhave postgres @ 2026-07-09 10:36 UTC (permalink / raw)
  To: pgsql-hackers

Hi all,

Extension A receives an access token and needs to hand it to extension B,
which publishes a handler function via a rendezvous variable
(find_rendezvous_variable).

Since rendezvous variables are just a global, name-keyed void * with no
notion of who populated the slot, is it safe to pass a sensitive value (the
token) this way? My worry is that another loaded module could register the
same name and receive the token instead of the intended extension B.

Is there a supported way to verify the publisher of a rendezvous variable,
or is there a better way to do this? Any prior art would help.

Thanks.


^ permalink  raw  reply  [nested|flat] 2+ messages in thread

* Re: Rendezvous variables: safe to pass an access token between two extensions?
  2026-07-09 10:36 Rendezvous variables: safe to pass an access token between two extensions? vaibhave postgres <[email protected]>
@ 2026-07-09 10:44 ` Andreas Karlsson <[email protected]>
  0 siblings, 0 replies; 2+ messages in thread

From: Andreas Karlsson @ 2026-07-09 10:44 UTC (permalink / raw)
  To: vaibhave postgres <[email protected]>; pgsql-hackers

On 7/9/26 12:36, vaibhave postgres wrote:
> Since rendezvous variables are just a global, name-keyed void * with no 
> notion of who populated the slot, is it safe to pass a sensitive value 
> (the token) this way? My worry is that another loaded module could 
> register the same name and receive the token instead of the intended 
> extension B.
> 
> Is there a supported way to verify the publisher of a rendezvous 
> variable, or is there a better way to do this? Any prior art would help.

As PostgreSQL extensions are not sandboxed and therefore can access the 
full memory of the backend (including shared memory) I do not think this 
is really a concern specific to rendezvous variables. If an extension 
wants to steal an access token it can as it can just grab them form 
anywhere in the process memory.

You need to either audit all extensions you load or trust your packagers 
and extension authors. If you load extensions you do not trust they can 
do anything the postgres process can do.

-- 
Andreas Karlsson
Percona







^ permalink  raw  reply  [nested|flat] 2+ messages in thread


end of thread, other threads:[~2026-07-09 10:44 UTC | newest]

Thread overview: 2+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2026-07-09 10:36 Rendezvous variables: safe to pass an access token between two extensions? vaibhave postgres <[email protected]>
2026-07-09 10:44 ` Andreas Karlsson <[email protected]>

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox