Does enabling shell_exec in php.ini always pose a security risk? Or can it be done safely?
Short answer: potentially.
Medium answer: any time you allow some program to be run on your server from the web, it's a risk.
Long answer: it depends on how your system is configured and how you will be using it. In safe mode, it is disabled (this is a good indicator). It is also a good idea to use dedicated user/group for each service you are running, including your web service, and avoid 'master' services. [please see the Server forum for help with this] Just how safe it is to use will depend on the privileges of this user/group and what the method will running. Are you allowing only predefined tasks or letting users enter what they want (big no-no).