Skip to content

fix: don't fall back to dest-dir install on permission-denied upgrade errors#11

Merged
403-html merged 2 commits intomainfrom
copilot/fix-permission-denied-error-again
Mar 17, 2026
Merged

fix: don't fall back to dest-dir install on permission-denied upgrade errors#11
403-html merged 2 commits intomainfrom
copilot/fix-permission-denied-error-again

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 17, 2026
edited
Loading

When the binary lives in a privileged directory (e.g. /usr/local/bin), nillsec upgrade produced a confusing internal error about temp file creation rather than telling the user to use sudo.

Root cause: downloadAndInstall fell back to installViaDestDir on any os.Rename failure. installViaDestDir works by staging a temp file inside the destination directory — useless when the failure is EACCES, since that directory isn't writable either.

Changes:

  • upgrade.go: Inspect the os.Rename error before deciding on a fallback:
    • EXDEV (cross-device link) → proceed with installViaDestDir as before
    • EACCES / permission error → return immediately with an actionable message
    • anything else → return the raw error
error: installing update: replacing binary (try running with elevated privileges, e.g. sudo): ...permission denied
  • upgrade_test.go: Added TestDownloadAndInstallPermissionDenied — chmod 555 on the destination directory, asserts the error contains "elevated privileges" and not "check write permissions", and verifies the original binary is untouched.

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

@403-html
fix: only fall back to installViaDestDir for cross-device rename errors
060a2f1 
When os.Rename fails with a permission error (e.g., binary in /usr/local/bin
and run without sudo), the previous code fell back to installViaDestDir which
tried to create a temp file in the same protected directory — producing a
confusing "check write permissions" error.

Now: EXDEV (cross-device link) errors still use the installViaDestDir fallback,
while permission errors surface a clear "try running with elevated privileges,
e.g. sudo" message.

Adds TestDownloadAndInstallPermissionDenied to cover this code path.

Co-authored-by: 403-html <57900160+403-html@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix permission denied error during nillsec upgrade fix: don't fall back to dest-dir install on permission-denied upgrade errors Mar 17, 2026
Copilot AI requested a review from 403-html March 17, 2026 18:30
@403-html 403-html marked this pull request as ready for review March 17, 2026 18:32
@403-html 403-html merged commit a3f5481 into main Mar 17, 2026
@403-html 403-html deleted the copilot/fix-permission-denied-error-again branch March 17, 2026 19:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@403-html 403-html Awaiting requested review from 403-html

Assignees

@403-html 403-html

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@403-html