From 96c489bb3dbf96c7ea2f7a9072b4c5596f448ada Mon Sep 17 00:00:00 2001
From: 0xmiel <sacha@status.im>
Date: Wed, 16 Jun 2021 11:55:58 +0200
Subject: [PATCH] Faq update + misc edits (#2653)

* update faq with permissions help, link in migration guide and importing keys

* add link to Git for Windows

* update windows install
---
 docs/the_nimbus_book/src/faq.md       | 63 ++++++++++++++++++++++++++-
 docs/the_nimbus_book/src/install.md   | 12 ++---
 docs/the_nimbus_book/src/keys.md      |  4 ++
 docs/the_nimbus_book/src/migration.md |  3 ++
 4 files changed, 76 insertions(+), 6 deletions(-)

diff --git a/docs/the_nimbus_book/src/faq.md b/docs/the_nimbus_book/src/faq.md
index e2b6854b1..21447d665 100644
--- a/docs/the_nimbus_book/src/faq.md
+++ b/docs/the_nimbus_book/src/faq.md
@@ -1,6 +1,6 @@
 # Frequently Asked Questions
 
-## Nimbus
+## General
 
 ### How do I fix the discovered new external address warning log?
  
@@ -48,6 +48,67 @@ To add an additional validator, just follow [the same steps](./keys.md) as you d
 
 > Note that a single Nimbus instance is able to handle multiple validators.
 
+## Folder Permissions
+
+To protect against key loss, Nimbus requires that files and directories be owned by the user running the application. Furthermore, they should not be readable by others.
+
+It may happen that the wrong permissions are applied, particularly when creating the directories manually.
+
+The following errors are a sign of this:
+
+- `Data folder has insecure ACL`
+- `Data directory has insecure permissions`
+- `File has insecure permissions`
+
+Here is how to fix them.
+
+### Linux/ BSD / MacOS
+
+Run:
+
+```
+# Changing ownership to `user:group` for all files/directories in <data-dir>.
+chown user:group -R <data-dir>
+# Set permissions to (rwx------ 0700) for all directories starting from <data-dir>
+find <data-dir> -type d -exec chmod 700 {} \;
+
+# Set permissions to (rw------- 0600) for all files inside <data-dir>/validators
+find <data-dir>/validators -type f -exec chmod 0600 {} \;
+
+# Set permissions to (rw------- 0600) for all files inside <data-dir>/secrets
+find <data-dir>/secrets -type f -exec chmod 0600 {} \;
+
+```
+
+In sum:
+
+- Directories `<data-dir>`, `<data-dir>/validators`, `<data-dir>/secrets` MUST be owned by user and have `rwx------` or `0700`permissions set.
+
+- Files stored inside `<data-dir>`, `<data-dir>/validators`, `/secrets` MUST be owned by user and have `rw------` or `0600` permission set.
+
+### Windows
+
+From inside `Git Bash`, run:
+
+```
+# Set permissions for all the directories starting from <data-dir>
+find <data-dir> -type d -exec icacls {} /inheritance:r /grant:r $USERDOMAIN\\$USERNAME:\(OI\)\(CI\)\(F\) \;
+
+# Set permissions for all the files inside <data-dir>/validators
+find <data-dir>/validators -type f -exec icacls {} /inheritance:r /grant:r $USERDOMAIN\\$USERNAME:\(F\) \;
+
+# Set permissions for all the files inside <data-dir>/secrets
+find <data-dir>/secrets -type f -exec icacls {} /inheritance:r /grant:r $USERDOMAIN\\$USERNAME:\(F\) \;
+```
+
+> **N.B.** Make sure you run the above from inside `Git Bash`, these commands  will not work from inside the standard Windows Command Prompt. If you don't already have a `Git Bash` shell, you'll need to install [Git for Windows](https://gitforwindows.org/).
+
+In sum:
+
+- Directories `<data-dir>`, `<data-dir>/validators`, `<data-dir>/secrets` MUST be owned by user and have permissions set for the user only (OI)(CI)(F). All inherited permissions should be removed.
+
+- Files which are stored inside <data-dir>, <data-dir>/validators, <data-dir>/secrets MUST be owned by user and have permissions set for the user only (F). All inherited permissions should be removed.
+
 
 ## Validating
 
diff --git a/docs/the_nimbus_book/src/install.md b/docs/the_nimbus_book/src/install.md
index 9eaa023f0..ad14e1d04 100644
--- a/docs/the_nimbus_book/src/install.md
+++ b/docs/the_nimbus_book/src/install.md
@@ -53,12 +53,14 @@ To build Nimbus on windows, the Mingw-w64 build environment is recommended.
 
 Install Mingw-w64 for your architecture using the "[MinGW-W64 Online Installer](https://sourceforge.net/projects/mingw-w64/files/)":
 
-* select your architecture in the setup menu (`i686` on 32-bit, `x86_64` on 64-bit)
-* set threads to `win32`
-* set exceptions to "dwarf" on 32-bit and "seh" on 64-bit.
-* Change the installation directory to `C:\mingw-w64` and add it to your system PATH in `"My Computer"/"This PC" -> Properties -> Advanced system settings -> Environment Variables -> Path -> Edit -> New -> C:\mingw-w64\mingw64\bin` (`C:\mingw-w64\mingw32\bin` on 32-bit)
+1. Select your architecture in the setup menu (`i686` on 32-bit, `x86_64` on 64-bit)
+2. Set threads to `win32`
+3. Set exceptions to "dwarf" on 32-bit and "seh" on 64-bit.
+4. Change the installation directory to `C:\mingw-w64` and add it to your system PATH in `"My Computer"/"This PC" -> Properties -> Advanced system settings -> Environment Variables -> Path -> Edit -> New -> C:\mingw-w64\mingw64\bin` (`C:\mingw-w64\mingw32\bin` on 32-bit)
 
-Install [Git for Windows](https://gitforwindows.org/) and use a "Git Bash" shell to clone and build nimbus-eth2.
+Install [Git for Windows](https://gitforwindows.org/) and use a "Git Bash" shell to clone and build `nimbus-eth2`.
+
+> **Note:** If the online installer isn't working you can try installing`Mingw-w64` through [MSYS2](https://www.msys2.org/).
 
 ### Android
 
diff --git a/docs/the_nimbus_book/src/keys.md b/docs/the_nimbus_book/src/keys.md
index b4f577c73..b1b7ce756 100644
--- a/docs/the_nimbus_book/src/keys.md
+++ b/docs/the_nimbus_book/src/keys.md
@@ -34,6 +34,10 @@ build/nimbus_beacon_node deposits import --data-dir=build/data/shared_mainnet_0
  You'll be asked to enter the password you created to encrypt your keystore(s).
  
  Don't worry, this is entirely normal. Your validator client needs both your signing keystore(s) and the password encrypting it to import your [key](https://blog.ethereum.org/2020/05/21/keys/) (since it needs to decrypt the keystore in order to be able to use it to sign on your behalf).
+ 
+ >**Note:** If you come across an error, it's probably because the wrong permissions have been set on either a folder or file. See [here](faq.md#folder-permissions) for how to fix this.
+ 
+ 
 
 ## Storage 
 
diff --git a/docs/the_nimbus_book/src/migration.md b/docs/the_nimbus_book/src/migration.md
index 42c28559c..152d522c4 100644
--- a/docs/the_nimbus_book/src/migration.md
+++ b/docs/the_nimbus_book/src/migration.md
@@ -85,6 +85,9 @@ To be extra sure that your validator has stopped, wait a few epochs and confirm
 To import you validator key(s), follow the instructions [outlined here](./keys.md).
 
 > To check that your key(s) has been successfully imported, look for a file named after your public key in `build/data/shared_mainet_0/secrets/`.
+>
+> If you run into an error at this stage, it's probably because the wrong permissions have been set on either a folder or file. See [here](faq.md#folder-permissions) for how to fix this.
+
 
 ## Step 4 - Import your slashing protection history