Overview
The mod_mpm_itk Apache module causes the Apache process to switch to the domain owner's user identifier (UID) and group identifier (GID) before it responds to the request. This allows each user to isolate their files from others with the standard file permission settings.
Note:
To query all of the SETUID and SETGID values on a server, run the following command:
find / -type f \( -perm -04000 -o -perm -02000 \) \-exec ls -lg {} \;
Usage
Use this module only if you run modules that do not require thread-aware code.
Requirements
This module requires EasyApache 4, Apache 2.4, MPM Prefork, and the CGI PHP handler.
Warning:
We strongly recommend that you only install the mod_mpm_itk Apache module on a system that runs CentOS 7 with Secure Computing Mode (seccomp v2) enabled in the kernel. The mod_mpm_itk Apache module will run on CentOS 6, but will not be as secure.
Compatibility
The MPM ITK module is not compatible with the following functions:
- mod_http2
- mod_ruid2
- mod_userdir
- EAccelerator
- Mod suPHP
- CloudLinux's™ PHP Selector feature
- cPanel's Leech Protection feature (cPanel >> Home >> Security >> Leech Protection)
Note:
If you select the MPM ITK option, we strongly recommend that you remove the Leech Protection feature from your users' feature lists. Use WHM's Feature Manager interface (WHM >> Home >> Packages >> Feature Manager) to change your users' feature lists.
setuid() and setgid() restrictions
The MPM ITK Apache module implements restrictions on the use of the setuid() function and the setgid() function. As a result, scripts that depend on these functions may encounter problems. This includes scripts that use the mail() function, the shell_exec function, or the sudo command.
You can resolve these restrictions with one of the following methods:
- Do not use the MPM ITK Apache module.
- Update your script to no longer require escalated privileges.
Turn off the security and allow users to execute scripts as the
rootuser. You can allow users with a UID or GID between0and4294496296to bypass security if you add the following code to your/etc/apache2/conf.d/includes/pre_virtualhost_global.conffile.<IfModule mpm_itk.c> LimitUIDRange 0 4294496296 LimitGIDRange 0 4294496296 </IfModule>
Warning:
We strongly recommend that you do not enable
rootprivileges for your users. This action has major security implications and could endanger your server.
How to install or uninstall mod_mpm_itk
Note:
The cPanel Default + MPM ITK EasyApache 4 profile contains the mod_mpm_itk Apache module by default.
In the interface
The easiest way to install or uninstall the mod_mpm_itk Apache module is with WHM's EasyApache 4 interface (WHM >> Home >> Software >> EasyApache 4).
On the command line
Install the module
You must manually uninstall MPM Worker and install MPM Prefork in order for the MPM ITK module work correctly. You must perform the following steps on the command line before you install the MPM ITK module:
yum shell remove ea-apache24-mod_mpm_worker remove ea-apache24-mod_cgid install ea-apache24-mod_mpm_prefork install ea-apache24-mod_cgi run quit
To install the mod_mpm_itk Apache module, run the following command on the command line:
yum install ea-apache24-mod_mpm_itk
Uninstall the module
To uninstall the mod_mpm_itk Apache module, run the following command on the command line:
yum remove ea-apache24-mod_mpm_itk
After you uninstall the MPM ITK module, if you wish you use the MPM Worker you must perform the following steps on the command line after you uninstall the MPM ITK module:
yum shell remove ea-apache24-mod_mpm_prefork remove ea-apache24-mod_cgi install ea-apache24-mod_mpm_worker install ea-apache24-mod_cgid run quit
Additional documentation
There is no content with the specified labels