I already made a related post with background information here:
However, I want to clarify the root issue and would love to hear feedback from the developers.
The issue is that dolibarr.postinst assigns the entire usr/share/dolibarr folder to the webuser www-data and also grants editing rights. This means that not only conf.php is writable, but the whole folder with its contents. This also means that the issue at large is not fixed by just changing conf.php from write to read, as suggested before.
Essentially, this allows someone with (malicious intent and) access through dolibarr to the www-data user to edit files in usr/share/dolibarr and consequently access to a vulnerability (folder-wide and unnecessary editing rights).
This is an opportunity for attackers to recieve access to:
change the installation and
permanently launch attacks on the system and
recieve access to the system beyond dolibarr
It would be appreciated if the devs changed the .deb package so that the edit rights for the www-user won’t be granted to begin with. That way the potential security risk can be reduced.