[Mailman-Users] Roster security

Rubén Fernández Asensio enseikou at gmail.com
Sun May 20 10:32:08 EDT 2018

Hi all!
My question may be dumb, but I need some confirmation.
I set up a list so that the roster is visible to subscribers.
I just noticed that, when any subscriber logs into the roster, s/he can 
access any other user's option page and try to unsubscribe that user or 
send a password reminder.
I know no user can be unsubscribed without replying to the confirmation 
message, but I was very surprised that any subscriber would be allowed 
to do that to any other. I thought making the roster visible to 
subscribers would only expose their emails (and names, if they provided 
Is this by design, or is this a bug in my Mailman installation? Is there 
any way of making the roster visible to subscribers without giving 
access to personal option pages through it?


More information about the Mailman-Users mailing list