In which directories can "nobody" user write?

In which directories can the nobody user write in a standard, out-of-the-box Ubuntu distribution?

I already know about /tmp which is drwxrwxrwt, but are there any other places by default where any user can write?

Running a check on my system lists:

$ sudo find / -xdev -type d \( \( -user nobody -o -group nogroup \) -o -perm -777 \)
/tmp
/tmp/.X11-unix
/tmp/.ICE-unix
/var/tmp
/var/metrics
/var/spool/samba
/var/crash

Of these, I imagine /tmp, /var/tmp, and /var/crash to be present on all Ubuntu installations, since they are listed in the Filesystem Hierarchy Standard. The two directories inside /tmp are, I think, session-based directories, so they can be ignored. I don't think /var/spool/samba would be present on a fresh Ubuntu system, which leaves /var/metrics. I'm not sure what that directory is for.

A note on the find command:

• -xdev excludes other filesystems (so I can skip /proc, /sys, my home directory, etc.)
• -type d restricts the check to directories
• \( -user nobody -o -group nogroup \) - either the owner should be nobody, or the group should be nogroup. We use the brackets to group this condition, and check for the other possibility, that
• -perm -777 - everyone has all permissions, again joined using an OR (-o). Instead of -perm -777, one could simply use -perm -2 as Random832 suggests, to check write permission to others.