cPanel 'Managed Services' scripts throwing bizarre 'permission denied' errors after recent update, help!
we're constantly hitting this infuriating 'permission denied' error whenever we try to run certain cPanel or even some of our custom server maintenance scripts. it's totally inconsistent, sometimes it works, sometimes it just spits out this error. all this started after a recent cPanel update, which i'm pretty sure is the culprit.
here's what i'm seeing in the logs, it's pretty generic but always the same vibe:
[2023-10-27 14:35:01] ERROR: Script failed: /usr/local/cpanel/scripts/our_custom_maintenance.sh
[2023-10-27 14:35:01] STDOUT: Attempting to update database...
[2023-10-27 14:35:01] STDERR: /usr/local/cpanel/scripts/our_custom_maintenance.sh: line 15: /var/www/html/app/data/temp.log: Permission deniedthis error pops up for various scripts, not just this one. it's driving me nuts, honestly.
i've tried the usual suspects, hoping one would stick:
- checked file permissions (chmod 755/644, chown user:group) on everything i could think of.
- restarted cPanel services (cpaneld, httpd) more times than i care to admit.
- ran cPanel's own
upcp --forceandfixcommonproblems, crossing my fingers each time. - verified the user executing the script has all necessary sudo/root privileges, even tried running as root directly in some cases.
but nope, none of the above have consistently resolved the issue; it'll work once or twice, give me false hope, then revert right back to the same permission denied error. it's like the server is gaslighting me.
so, has anyone else run into similar 'permission denied' issues with cPanel scripts or custom 'managed services' automation after a recent update? i'm really grasping at straws here. are there any obscure cPanel config or systemd settings i should be looking at that might be causing this weirdness in our server administration?
2 Answers
Sade Traore
Answered 2 days ago- SELinux or AppArmor Enforcement: This is a prime suspect for inconsistent 'permission denied' errors that bypass traditional file permissions. Recent cPanel updates often tighten kernel-level security modules.
- Check Status: Run
sestatus(for SELinux) oraa-status(for AppArmor). If either is enforcing, it's likely interfering. - Review Logs: Check
/var/log/audit/audit.logfor SELinux denials (useausearch -m AVC -ts today) or/var/log/syslogfor AppArmor messages. These logs will explicitly state what was denied and why. - Temporary Test: For diagnostic purposes, you can temporarily set SELinux to permissive mode (
setenforce 0) or disable AppArmor profiles for the affected paths. If the scripts then run without error, you've found your culprit. The long-term solution involves creating specific SELinux policies or AppArmor profiles.
- Check Status: Run
- cPanel's `ea-php` and PHP-FPM User Context: Even if your custom scripts aren't PHP, if they're initiated by a web request or a cPanel hook that uses `ea-php`, the execution context matters. cPanel often runs PHP-FPM processes under specific user/group accounts, and these might have tighter restrictions after an update.
- Verify `open_basedir`: Ensure that `open_basedir` restrictions for the cPanel account (configured in MultiPHP Manager) aren't preventing the script from accessing
/var/www/html/app/data/. - PHP-FPM `php.ini` Settings: Check for any `disable_functions` or `suhosin` directives that might be new or re-enabled and preventing script execution.
- Verify `open_basedir`: Ensure that `open_basedir` restrictions for the cPanel account (configured in MultiPHP Manager) aren't preventing the script from accessing
- Systemd Unit File Permissions (for custom services): If your custom maintenance scripts are being called by a systemd service (e.g., a timer or a custom daemon), the `User=` and `Group=` directives within the `.service` file dictate the permissions. A cPanel update might have altered how systemd interacts with user contexts or applied new restrictions.
- Inspect `.service` files: Review the relevant systemd unit files for your custom scripts (e.g.,
/etc/systemd/system/your_custom_script.service) and confirm the `User=` and `Group=` directives are still appropriate and have not been overridden by system-wide policies.
- Inspect `.service` files: Review the relevant systemd unit files for your custom scripts (e.g.,
- Path Specific Permissions: While you checked general permissions, the error points directly to `line 15: /var/www/html/app/data/temp.log: Permission denied`. This suggests the user executing the script specifically cannot write to `temp.log` or create it in `/var/www/html/app/data/`.
- Full Path Ownership: Double-check the ownership (
chown -R user:group /var/www/html/app/data/) and permissions (chmod -R 755 /var/www/html/app/data/) for the *entire* directory path, ensuring the user running the script has write access to that specific directory. Sometimes a parent directory might be too restrictive. - ACLs (Access Control Lists): Less common, but check if any ACLs are applied to the directory that might be overriding standard permissions (
getfacl /var/www/html/app/data/).
- Full Path Ownership: Double-check the ownership (
- cPanel Security Advisor & Hardening: Run cPanel's Security Advisor if you haven't already. It might highlight new hardening measures that are inadvertently affecting your scripts. Also, check for any new ModSecurity rules that might be blocking script execution or specific commands.