Securing installation - which directories can be made read-only?

I know that the tmp folder is written to by the application; is it the only one?

My goal is to run a “chmod o-w” on all parts of the application where it it can be done.

Incidentally, that could be added to the securing-an-install guide imho - for really safe setups, the sysadmin might want to even set config.php to readonly - is it written by the admin interface when changing settings?

if you make things read-only,then you have to make everything writeable before you attempt to auto-update.

at minimum, config and tmp should be writeable. (For example, config.ini.php is updated when plugins are activated/deactivated)