mod_mpm_itk Apache module causes the Apache process to switch to the domain owner's user identifier (UID) and group identifier (GID) before it responds to the request. This allows each user to isolate their files from others with the standard file permission settings.
Use this module only if you run modules that do not require thread-aware code.
This module requires EasyApache 4, Apache 2.4, the MPM Prefork, and
We strongly recommend that you only install the MPM ITK Apache module on a system that runs CentOS 7 with Secure Computing Mode (seccomp v2) enabled in the kernel. The MPM ITK Apache module will run on CentOS 6, but will not be as secure.
The MPM ITK module is not compatible with the following modules:
- Mod Ruid2
- Mod suPHP
- CloudLinux's™ PHP Selector feature
- cPanel's Leech Protection feature (cPanel >> Home >> Security >> Leech Protection)
setuid() and setgid() restrictions
Recent versions of the MPM ITK Apache module implemented restrictions on the use of the
setuid() function and the
setgid() function. As a result, scripts that depend on these functions may encounter problems. This includes scripts that use the
mail() function, the
shell_exec function, or the
You can resolve this with one of the following methods:
- Do not use the MPM ITK Apache module.
- Update your script to no longer require escalated privileges.
Turn off the security and allow users to execute scripts as the
rootuser. You can allow users with a UID or GID between
2000to bypass security if you add the following code to your
We strongly recommend that you do not enable
rootprivileges for your users. This action has major security implications and could endanger your server.
How to install or uninstall mod_mpm_itk
Module status in default profiles
The following EasyApache profiles include the
mod_mpm_itk Apache module by default:
- MPM ITK
Install the MPM ITK Apache module with the EasyApache 4 interface, or use yum.
You must manually uninstall MPM Worker and install MPM Prefork in order for the MPM ITK module work correctly. You must perform the following steps on the command line before you install the MPM ITK module:
To uninstall the MPM ITK module and use the MPM Worker again, you must perform the following steps after you uninstall the MPM ITK module:
We introduced the MPM ITK option to servers that use Apache version 2.4 and EasyApache 4 in the following versions:
- All builds of cPanel & WHM version 11.52 or later
The following text is an excerpt from the MPM ITK website:
Apache2-mpm-itk (just mpm-itk for short) is an MPM (Multi-Processing Module) for the Apache web server. mpm-itk allows you to run each of your vhost under a separate uid and gid—in short, the scripts and configuration files for one vhost no longer have to be readable for all the other vhosts.
For more information on the
mod_mpm_itk Apache module, read the vendor documentation.