This is why my directories with shell scripts have a "make install" target. For execution they are copied to a place where they are unlinked before written new.
Assuming that you actually use rename() to do the unlinking and atomic updating, the "make install" should also ensure that write permission is removed from the new files.
Assuming that you actually use rename() to do the unlinking and atomic updating, the "make install" should also ensure that write permission is removed from the new files.
* https://github.com/jdebp/nosh/blob/79b1c0aab9834a09a59e15d47...