Apache Module — MPM ITK | cPanel & WHM Documentation

Apache Module — MPM ITK

Last modified: August 23, 2024

The mod_mpm_itk Apache module causes the Apache process to switch to the domain owner’s user identifier (UID) and group identifier (GID) before it responds to the request. This allows each user to isolate their files from others with the standard file permission settings.

Note:

To query all of the SETUID and SETGID values on a server, run the following command:

find / \( -path /proc -o -path /sys \) -prune -o -type f \( -perm -04000 -o -perm -02000 \) -exec ls -lg {} \;

Only use this module if you run modules that do not require thread-aware code.

Requirements

This module requires EasyApache 4, Apache 2.4, MPM Prefork, and the CGI PHP handler.

We strongly recommend that you only install the mod_mpm_itk Apache module on systems with Secure Computing Mode (seccomp v2) enabled in the kernel. You can run the following command to determine whether it’s enabled:

grep CONFIG_SECCOMP /boot/config-$(uname -r)

If Secure Computing Mode is enabled, the command should return an output similar to the following example:

1
2


/boot/config-4.18.0-553.8.1.el8_10.x86_64:CONFIG_SECCOMP_FILTER=y
/boot/config-4.18.0-553.8.1.el8_10.x86_64:CONFIG_SECCOMP=y

Compatibility

The MPM ITK module is not compatible with the following functions:

mod_http2
mod_ruid2
mod_fcgid
mod_userdir
mod_suPHP
CloudLinux’s™ PHP Selector feature
cPanel’s Leech Protection interface (cPanel » Home » Security » Leech Protection)

Note:

If you select the MPM ITK option, we strongly recommend that you remove the Leech Protection feature from your users’ feature lists. Use WHM’s Feature Manager interface (WHM » Home » Packages » Feature Manager) to change your users’ feature lists.

setuid() and setgid() restrictions

The MPM ITK Apache module implements restrictions on the use of the setuid() function and the setgid() function. As a result, scripts that depend on these functions may encounter problems. This includes scripts that use the mail() function, the shell_exec function, or the sudo command.

You can resolve these restrictions with one of the following methods:

Don’t use the MPM ITK Apache module.
Update your script to no longer require escalated privileges.
Turn off security and allow users to execute scripts as the root user. You can allow users with UID or GID between 0 and 4294496296 to bypass security if you add the following code to your /etc/apache2/conf.d/includes/pre_virtualhost_global.conf file:
1 2 3 4

<IfModule mpm_itk.c> LimitUIDRange 0 4294496296 LimitGIDRange 0 4294496296 </IfModule>

Warning:

We strongly recommend that you do not enable root privileges for your users. This action has major security implications and could endanger your server.

How to install or uninstall the module

You can install and uninstall the mod_mpm_itk Apache module in WHM’s EasyApache 4 interface (WHM » Home » Software » EasyApache 4).

Note:

The cPanel Default + MPM ITK EasyApache 4 profile contains the mod_mpm_itk Apache module by default.