I'd rather recommend to allow updates in the form of a module not a script, as so you only have to worry about the permissions for the script and not the modules, just make sure that any added directories (for added modules) must be accesible to the user under wich the script (usually the same as the server) runs, but you can alternatively also call another script (preferrably outside your web servers SERVER_ROOT) which runs as a different user due its been setuid or so to have those directories created for you.

Using modules to encapsulate all functionality you have all in handy to update your application entirely if the only scripts in front just use those modules. So you get stuck only in case that the script that looks for updates would need an update and does not store its functions in a module. Otherwise the script can do so easily, as as long as it runs to update itself all loaded modules remain available, so you just got the problem to step out and reload the script along with its modules again.

Have a nice day
All decision is left to your taste