feat(upgrade): check if user has write access to deno exe (#16378)

cli/Cargo.toml

@@ -118,6 +118,9 @@ fwdansi = "=1.1.0"
 junction = "=0.2.0"
 winapi = { version = "=0.3.9", features = ["knownfolders", "mswsock", "objbase", "shlobj", "tlhelp32", "winbase", "winerror", "winsock2"] }
 
+[target.'cfg(unix)'.dependencies]
+nix = "=0.24.2"
+
 [dev-dependencies]
 deno_bench_util = { version = "0.67.0", path = "../bench_util" }
 dotenv = "=0.15.0"
@@ -129,9 +132,6 @@ test_util = { path = "../test_util" }
 trust-dns-client = "=0.22.0"
 trust-dns-server = "=0.22.0"
 
-[target.'cfg(unix)'.dev-dependencies]
-nix = "=0.24.2"
-
 [package.metadata.winres]
 # This section defines the metadata that appears in the deno.exe PE header.
 OriginalFilename = "deno.exe"

cli/tools/upgrade.rs

@@ -128,10 +128,24 @@ pub fn check_for_upgrades(cache_dir: PathBuf) {
 
 pub async fn upgrade(upgrade_flags: UpgradeFlags) -> Result<(), AnyError> {
   let old_exe_path = std::env::current_exe()?;
-  let permissions = fs::metadata(&old_exe_path)?.permissions();
+  let metadata = fs::metadata(&old_exe_path)?;
+  let permissions = metadata.permissions();
 
   if permissions.readonly() {
-    bail!("You do not have write permission to {:?}", old_exe_path);
+    bail!(
+      "You do not have write permission to {}",
+      old_exe_path.display()
+    );
+  }
+  #[cfg(unix)]
+  if std::os::unix::fs::MetadataExt::uid(&metadata) == 0
+    && !nix::unistd::Uid::effective().is_root()
+  {
+    bail!(concat!(
+      "You don't have write permission to {} because it's owned by root.\n",
+      "Consider updating deno through your package manager if its installed from it.\n",
+      "Otherwise run `deno upgrade` as root.",
+    ), old_exe_path.display());
   }
 
   let client = build_http_client(upgrade_flags.ca_file)?;