I know that the tmp folder is written to by the application; is it the only one?
My goal is to run a “chmod o-w” on all parts of the application where it it can be done.
Incidentally, that could be added to the securing-an-install guide imho - for really safe setups, the sysadmin might want to even set config.php to readonly - is it written by the admin interface when changing settings?