I currently have a VPS which I run web hosting from, and a couple of the scripts I want to use require the use of exec() which is currently disabled. I'm wondering what the security risks are for enabling it. No one but me and a couple of trusted users has shell access, but everyone has ftp access to thier accounts. Any advice or direction is appriciated.

Are we talking about PHP here?

If yes, you can have a look at safe mode and it's effects.

I would generally recommend to turn safe mode on for sites with multi-users access.

You can restrict exec() with safe_mode_exec_dir setting which would limit the set of commands allowed in exec().

Hope this helps.

Continuing on the premise we're talking about PHP I would like to remind you (all) the security risk is not only in allowing exec but more so the way it can be accessed. You probably do not need the warning, but if you look at the past few years you'll see PHP-based SW in general is not without security problems (best understatement I can make without getting all nasty), most of them being input validation related. If you deploy home brew SW please make sure you practice safe coding, if you deploy OTS, please make sure it's ready for production env use (like XAMP clearly states it's *not* and ppl still use it), maintained and supported and the latest version. Next to that see if you can afford to run an IDS, run under SELinux/GRSecurity RBAC, chroot or virtualise the whole package, run hardened-PHP, mod_security, extend logging, etc, etc for early warning, to limit damage and alerting.