On 7/9/26 12:36, vaibhave postgres wrote:
Since rendezvous variables are just a global, name-keyed void * with no notion of who populated the slot, is it safe to pass a sensitive value (the token) this way? My worry is that another loaded module could register the same name and receive the token instead of the intended extension B.

Is there a supported way to verify the publisher of a rendezvous variable, or is there a better way to do this? Any prior art would help.

As PostgreSQL extensions are not sandboxed and therefore can access the full memory of the backend (including shared memory) I do not think this is really a concern specific to rendezvous variables. If an extension wants to steal an access token it can as it can just grab them form anywhere in the process memory.

You need to either audit all extensions you load or trust your packagers and extension authors. If you load extensions you do not trust they can do anything the postgres process can do.

--
Andreas Karlsson
Percona



Reply via email to