• Hosting Flash Sale: Starting at $0.43/mo for a limited time
Client Area
Client Area

Fixing “Cannot manage PHP versions when CageFS is disabled” on CloudLinux (cPanel/WHM)

When you open cPanel → Select PHP Version and get the dreaded:

Cannot manage PHP versions when CageFS is disabled

…it usually isn’t PHP’s fault at all. On CloudLinux servers, this error almost always boils down to two things:

  1. pam_lve is enabled for sudo (it shouldn’t be), and/or

  2. The cPanel user is disabled in CageFS.

Here’s the exact, production-safe fix we use at PrenHost.

TL;DR (copy–paste)

# 1) Remove pam_lve from sudo (keep it in sshd/su/crond/atd)
cp -a /etc/pam.d/sudo /etc/pam.d/sudo.bak.$(date +%F)
sed -i ‘/pam_lve\.so/d’ /etc/pam.d/sudo
grep -r “pam_lve” /etc/pam.d/ # confirm sudo no longer listed

# 2) Rebuild CageFS environment & alt-php INIs
cagefsctl –init
cagefsctl –force-update
cagefsctl –rebuild-alt-php-ini

# 3) Enable CageFS for users who need PHP Selector
cagefsctl –enable-all # or: cagefsctl –enable <username>
cagefsctl –list-disabled # verify the list is empty/expected

# 4) (Optional) Ensure alt-PHP is installed
# CloudLinux 8/9:
dnf groupinstall -y alt-php || true
# CloudLinux 7:
yum groupinstall -y alt-php || true

# 5) Restart cPanel UI (clears cached errors)
/scripts/restartsrv_cpsrvd

Open cPanel → Select PHP Version again. It should load instantly.

What’s actually happening?

  • PHP Selector (alt-PHP) only works inside CageFS. If a user is not caged, the page refuses to manage PHP versions for that account.

  • Adding pam_lve.so to /etc/pam.d/sudo unintentionally puts the helper that manages PHP Selector inside a cage, blocking access to system paths (like /usr/share/cagefs). That’s why the UI errors—even when CageFS is globally “Enabled”.

Keep pam_lve in sshd, su, crond, atd (recommended), but remove it from sudo.

Step-by-step with quick checks

1) Confirm the symptoms

cagefsctl --cagefs-status
cagefsctl --list-disabled
grep -r "pam_lve" /etc/pam.d/

If you see users listed as disabled, or pam_lve present in /etc/pam.d/sudo, proceed.

2) Remove pam_lve from sudo only

cp -a /etc/pam.d/sudo /etc/pam.d/sudo.bak.$(date +%F)
sed -i '/pam_lve\.so/d' /etc/pam.d/sudo
grep -r "pam_lve" /etc/pam.d/

You should still see pam_lve in sshd, su, crond, atdnot in sudo.

3) Refresh CageFS & alt-PHP bits

cagefsctl --init
cagefsctl --force-update
cagefsctl --rebuild-alt-php-ini

4) Enable CageFS for the accounts that need PHP Selector

All at once:

cagefsctl --enable-all

—or per user:

cagefsctl --enable <username>

Verify:

cagefsctl --list-disabled

5) Make sure alt-PHP is installed

dnf groupinstall -y alt-php || yum groupinstall -y alt-php

6) Restart cPanel UI and test

/scripts/restartsrv_cpsrvd

Then, as one of the affected users:

su -l <user> -s /bin/bash -c 'which php; php -v'

Open cPanel → Select PHP Version. The error should be gone.

When should I not enable CageFS?

Some legacy apps or special service accounts might be intentionally outside CageFS. Those users cannot use PHP Selector; manage them via WHM → MultiPHP Manager (EA-PHP) instead.

Troubleshooting checklist

  • Error persists only for certain users
    → They are still disabled in CageFS. Enable them and re-run --force-update.

  • Selector page loads, but PHP doesn’t change
    → Rebuild alt-PHP INIs: cagefsctl --rebuild-alt-php-ini.
    → Ensure no custom .htaccess or php.ini overrides are forcing EA-PHP.

  • Server recently migrated
    → Reinstall the alt-PHP group and refresh cages:
    dnf/yum groupinstall -y alt-php && cagefsctl --force-update.

Final thoughts

This fix is simple but easy to miss: don’t apply pam_lve to sudo. Pair that with enabling CageFS for the right users, and PHP Selector will behave perfectly.

If you’d like PrenHost to audit your CloudLinux estate (CageFS, LVE, alt-PHP, IO/CPU limits), reach out—this is the kind of hands-on tuning we perform daily for high-density cPanel servers.

Tags:

Leave a Reply