waterfall build 276
LuckPerms 4.4.4 (I understand I'm out of date, but did not see this fixed in issues)
Tracks/groups:

owner track: owner (highest group)
staff track: staff -> admins -> execs
player track: default -> champion

I have two accounts: Main and Alt

When Main is set to owner, and Alt is set to execs,
Alt can successfully issue the command:
/lpb user Main parent set default
However, Alt is not able to issue the command:
/lpb user Main parent set owner
"You do not have permission to use this command!"

This seems like a security issue, as anyone with the ability to set parent groups can remove staff from higher positions.

There will be a total of 4 people who will have access to setting user parents, all of whom I trust greatly, but this is possibly not the case elsewhere. Kudos on preventing setting users to higher groups by default, however.

I am willing to assist in any way as needed.

I suspect this may be because the execs group has or inherits the * permissions from somewhere? That's something I didn't account for when implementing the feature, and is fixed in the above commit.

Maybe it goes some way to solving the issue?

However, assuming in this case, execs has permission to all LuckPerms commands, they'll still be able to use the parent clear command on someone with the owner group and clear all of their permissions.

I'd argue that it isn't really a security issue this way around - the idea behind the require-sender-group-membership-to-modify option was really to prevent admins from adding themselves to a higher group, not the other way around. I'm inclined to leave things this way.

I'm sorry, but I just confirmed execs does not have, nor does it inherit * or luckperms.*

With that, I'd counter your argument that this still is a potential security issue. Rogue admins removing the owner is a problem. Not in my case, but still.

I'm just gonna reply to counter your thing here AeSix, realistically how can you say its a security issue, when if your worried about them removing the owner rank, you can give it yourself back and demote the admin, with this magic device called "Console". It seams with your concern of an admin being able to remove an owner rank would only be a problem if this magic device does not get created! ah wait, it already exists!

@JE201506 It would be nice if you could refrain from being antagonistic. I understand you believe to have a greater amount of knowledge and skill, apt to administer a game server. I've done nothing but reported an issue. Yes, I know the console exists.

I provide support for multiple communities, and I can assure you, that level of knowledge and skill is not the norm. I also know that there are a lot of people who run Minecraft servers who a) have limited to no access to console, b) do not know when to trust people, c) are more-or-less forced to trust people with the ability to add lower staff - not to mention staff getting pissed off and wanting to destroy as much as possible because of some stupid reason. Most "owners" rely heavily on plugins to just work. And something so simple should just work.

All of that puts the owner in a position to lose control of their server. All because of something so silly as to defaultly allow people to remove users from higher groups. If there was not already a mechanism in place to prevent people from adding to higher groups, first, I'd be annoyed, but then I wouldn't expect them to be prohibited from removing.

Suppose you're using a server with no console, such as the plethora of game host companies out there which provide a panel instead. Now suppose you're not that great of an admin, after all you're using a panel. And suppose you're not that great with the panel. This sums up a rather large portion of users. Now let's say I join your server, gain your trust and get promoted to staff. And because you trust me, and know you need more jr staff, you give me the ability to promote players. But then you piss me off. So I remove you from your group. Most ban-exemption plugins work by checking a player's group. You're now in the default group. So, I ban you. By the time you realize this, maybe 8-12 hours later because you went to bed just before I did this - now I have free reign of the server. Again, you're pretty much an idiot and don't know how to use the panel to regain access. Congratulations. The only option you have left is to rebuild your server from ground up. Or hope you can get someone to help you, and hope I hadn't completely wrecked your permissions, the world, or cause a great amount of social damage (bashing players, cussing out everyone, etc) A malicous person with power can do a lot of damage in a very short amount of time.

So yes, it's a security issue. And as far as I can figure, it's a simple one to resolve. Just do the same check that is performed when attempting to add players to a group equal or higher than the issuer's group.

I really don't know what I said previously to trigger you, but maybe try, in the future, to either be helpful or at least polite when replying to people for issues. You'll go further, easier in life.

@lucko Thank you for the initial fix, I will test it, however I feel it will have no affect in regards to the issue as I stated previously that the lower group does not have any asterisk permission.

I believe this has been fixed now - sorry I forgot to reply here / close the issue!