Define system and shell commands. If you are goign to be giving shell acess you need to make sure and lock down the system along with keeping it update for the latest kernel exploits among other things.
John W, CISSP, C|EH
MS Information Security and Assurance ITEagleEye.com - Server Administration and Security Yawig.com - Managed VPS and Dedicated Servers with VIP Service
I beleive he's referring to allowing the system(); function in PHP.
The commands are executed through apache and therefore [should] be run as an unpriveleged user. So the only damage that could really be done is to the files apache has access to. Although, it may be advisable to install/read up on PHPSuExec
Disbaling system() will create chaos among clients, because that will affect the functionality of certain softwares. Yes I do agree that enabling system () is a security risk, but it will be good if you enable phpsuexec so that you can watch the processes running with username and not with nobody. In this way you can catch who is the vulnerble user in your server.
AssistanZ - Beyond Boundaries... Cloudstack Consultancy / 24x7 Web Hosting Support / 24x7 Server Management / Infrastructure Management Services Web & Mobile Apps Development / Web Designing Services / Php, Grails, Java Development
Leaving system() out will cause problems with your clients, end of story. That's an extremely poor way to run a business, what, telling clients "I'm sorry, but that function is disabled due to security reasons".. Errm, no, that offers very little more security, and there are ALWAYS ways around that.
There are very valid reasons for system() calls, the most common being image galleries which call manipulation functions from the system directly. There's others, of course, but those are the most common.
As to the original question:
how likely your server would be easily hacked by allowing system/shecll commands?
It all depends on how secure your server is, how populated it is, and how familliar you, specifically, are with Linux. If you have your server pretty much secured, yet talking to you every day, then you'll notice things that are off like hacks, etc.
Unfortunately, with the idiots out there now, it's not "how likely", but "when". If you make it harder for them to hack by tightening security, keeping an eye on what's out there , in the server, then you won't notice it as much. however, it's still going to happen, due to poor software programming, more than anything else.
WHMCS Guru - WHMCS addons, management, support and more. WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
Always looking for Linux, WHMCS, Support Desk work. PM for details