cracker/hacker can change php.ini to incative global function and execute bash shell to send thousand spam email

disable_functions =

please protect this function, nobody can change except some user was allow

cracker / hacker can also add a cgi handler to .htaccess file, and run full blown CGI -- even if you blocked it on cPanel level. Hence all those disable_functions are meaningless (we have just recently witnessed attack like that -- even though user had all the disabled_functions you can ask for.

Relying on user not being able to run arbitrary shell / scirpt commands is just opening yourself for set of troubles. Correct way to go is to have CageFS & some form of anti-spam.

Eitherway -- we do plan to try to limit php.ini config options that user can modify.