Secure default VirtualHosts
When looking at /server-info, I noticed the two VirtualHosts at the bottom of this email that appear to have been created by default. They run PHP as the Apache user (nobody) and also are lacking a SuexecUserGroup which has CGI scripts run as a user other than the Apache nobody user. If a script were to be exploited on these virtualhosts, because it’d be running as the Apache user, it could read the files of other sites.
I’m not saying this is a vulnerability, but I certainly think as part of defense in depth, security would be better if these were set to run scripts as some isolated user, especially since there are various ScriptAlias, ScriptAliasMatch, and Alias directives that expose CGI scripts which may eventually have a vulnerability discovered in one of them (hopefully not, but you never know). Thinking of a few examples, guestbook.cgi had a remote code execution vulnerability a long time ago and then of course there was shellshock more recently - the more we can contain things the better since it's unlikely any system will have perfect security.
I propose all new installs of cPanel have these locked down by default by having a special suPHP_UserGroup and SuexecUserGroup user/group rather than sharing Apache's, and for existing ones there be an option added to lock them down but that it default to off so as to not break anything that people are already relying on.