Backup
First, before you do anything, back up your machine. Use SuperDuper!. SuperDuper! can create a bootable clone of your boot drive, and its the only thing that really works. Make TWO backups, onto two separate drives, just in case.
Reboot from your backups to ensure they're good. Then restart from your primary drive and disconnect the backup drives.
Note that SuperDuper! is NOT YET 10.5 compatible. Once you upgrade you'll be unable to use SuperDuper! until the dude finishes his 10.5 build. This is almost reason enough not to upgrade.
Clean Install
Disconnect any external drives. Especially the drives you backed up to.
Run the installer (and wait for media check). Select "Erase and Install". The upgradey options kinda work, but will leave your system broken or problematic. DO NOT upgrade. I repeat, select "Erase and Install". It'll WIPE YOUR DISK, but you have two different backups on two different disks, right?
When presented with the choice, choose Customize. Ditch all or most of the "Language Translations". Ditch the extra fonts (unless you need them for foreign languages). There's gigs n gigs of printer drivers, too, so if you don't wander the earth bumming printer time, just install what you need. Install X11 (duh). Let the install run.
Admin User Account
When prompted to set up a user account, don't set up your normal user account. Instead, set up an admin user. You will do admin stuff from the admin account. Your day-to-day work will be done as a normal user with no special privileges. If any special permissions are needed, say to change something systemy or install some crappy software, you will first have to authenticate as the admin user when prompted for authentication. This is not hard. You just type your admin user name instead of your own. Heck, you can even make your admin and standard accounts have the same password. But do use an admin account. This is a significantly more secure way to operate your system. YOU MUST DO THIS.
When the install is complete, registration is done, etc, you'll eventually be logged in as your admin user.
Note that SuperDuper! is NOT YET 10.5 compatible. Once you upgrade you'll be unable to use SuperDuper! until the dude finishes his 10.5 build. This is almost reason enough not to upgrade.
Clean Install
Disconnect any external drives. Especially the drives you backed up to.
Run the installer (and wait for media check). Select "Erase and Install". The upgradey options kinda work, but will leave your system broken or problematic. DO NOT upgrade. I repeat, select "Erase and Install". It'll WIPE YOUR DISK, but you have two different backups on two different disks, right?
When presented with the choice, choose Customize. Ditch all or most of the "Language Translations". Ditch the extra fonts (unless you need them for foreign languages). There's gigs n gigs of printer drivers, too, so if you don't wander the earth bumming printer time, just install what you need. Install X11 (duh). Let the install run.
Admin User Account
When prompted to set up a user account, don't set up your normal user account. Instead, set up an admin user. You will do admin stuff from the admin account. Your day-to-day work will be done as a normal user with no special privileges. If any special permissions are needed, say to change something systemy or install some crappy software, you will first have to authenticate as the admin user when prompted for authentication. This is not hard. You just type your admin user name instead of your own. Heck, you can even make your admin and standard accounts have the same password. But do use an admin account. This is a significantly more secure way to operate your system. YOU MUST DO THIS.
When the install is complete, registration is done, etc, you'll eventually be logged in as your admin user.
Finish the initial installation by installing the developer tools. They're on the install DVD.
Administrative Setup
Open System Preferences->Software Update and run Software Update. There are a few updates you need to install. Install em.
Open System Preferences->Network and set up your network locations, etc. It's new and improved. Nice.
Open System Prefereces->Sharing and turn on any services you use like SSH, Printer Sharing, etc. The UI has been overhauled, but it makes sense.
Open System Preferences->Security
General tab
FileVault tab
Firewall tab
Open System Preferences->Software Update and run Software Update. There are a few updates you need to install. Install em.
Open System Preferences->Network and set up your network locations, etc. It's new and improved. Nice.
Open System Prefereces->Sharing and turn on any services you use like SSH, Printer Sharing, etc. The UI has been overhauled, but it makes sense.
Open System Preferences->Security
General tab
- require password to wake this computer from sleep
- disable automatic login
- use secure virtual memory (you also need to wipe free space periodically)
- disable remote control infrared receiver (pair it up if you must use one)
FileVault tab
- set master password. Don't write it down. Memorize it.
- Turn on FileVault for your admin user. And later when you su to your admin user, drop the "-" and just "su [admin]" so that it inherits your path. Otherwise your path will lack your beloved macports at /opt/local and you will suffer.
Firewall tab
- Set access for specific services and applications (SSH, etc), or set to Block all incoming if you really have no incoming connections.
Open Software Update->Accounts. Set up your user account with Standard user permissions. Do NOT give it admin perms.
Log out of admin account.
User Setup
Log into user account.
System Preferences->Security, FileVault tab. Turn on FileVault for your user account.
System Preferences->Keyboard, Modifier Keys... set Caps Lock to No Action.
Open Safari. Open preferences(CMD-,) and deselect "Open 'safe' files after downloading."
Setup Media Dirs
The preferred media setup is a little different in a FileVaulted account. Store movies and music (mp3's, Greg The Bunny Episodes, etc) that you don't need to secure under /Users/Shared, which is not FileVaulted. This makes your FileVaulted home dir smaller, and makes incremental backups quicker (maybe MUCH quicker).
First, we're going to create itunes and movies dirs. We'll also make an alias to the Movies dir, which is a little complicated. Open Terminal and:
% mkdir /Users/Shared/Movies
% mkdir /Users/Shared/iTunes\ Music
% su - [admin-user-id]
% sudo bash
% cd /Users/[your user account]
% rm -rf Movies (better not have crap in here)
% exit (exiting root shell)
% exit (exiting admin user)
% ln -s /Users/Shared/Movies ~/Movies
% rmdir ~/Music/iTunes/iTunes\ Music
% exit
Now for the copying:
- Mount one of your backup disks.
- Launch iTunes, select Preferences->Advanced tab->iTunes music folder location->Change... and select /Users/Shared/iTunes.
- Mount a backup disk, drag music onto iTunes (the application), and voila, iTunes copies the files to /Users/Shared/iTunes.
- Copy your movies into your movies dir.
- Copy the rest of your home directory contents; Documents, Pictures, etc.
- Copy your dot files: .zshrc, .bashrc, .ssh/, .unison/, etc.
- Safari bookmarks, located at ~/Library/Safari/Bookmarks.plist
Migrate your Keychain
To get your keychain from your 10.4 instance, do the following:
- cp [10.4 disk user home dir]/Library/Keychains/login.keychain ~/Library/Keychains/[username].keychain
- open /Applications/Utilities/Keychain Access
- From main menu, select Edit->Keychain List
- Click the "+" and add your [username].keychain
- In the Keychains list, select your new [username].keychain and unlock it by clicking the padlock icon
- With the [username].keychain still selected, select File->Make Keychain "[username]" Default
- Select Keychain Access->Keychain First Aid just to make sure everything's aiight.
Migrate Address Book
- Quit address book if it's running.
- Select all files in your backup at ~/Library/Application Support/AddressBook
- Drag-copy into your new AddressBook directory
- Open Address Book and make sure the data made it
Set up your mail accounts. Then select File->Import Mailboxes... and navigate to ~/Library/Mail/Mailboxes. Select mailboxes you want to suck in on the following screen.
Secure Safari
Open Safari->Preferences. In the General preferences tab, make sure 'Open "Safe" files after downloading' is unchecked. Leaving it checked is a serious security hole.
Secure Terminal
Open Terminal, select "Secure Keyboard Entry" from the Terminal menu. This prevents other applications from reading when you're typing into Terminal.
Install Apps
Assuming you're on a single user machine, don't install applications into /Applications. mkdir ~/Applications and install apps there. This is superior.
Install the following:
Install the following:
- Quicksilver.
- Macports. Build whatever packages you need. Subversion compiles, but it requires two passes. One of the deps fails the first time. Synergy compiles. Note that ocaml does not build, so unison (via macports) is a no go (sucks big time).
- A unison binary and drop it into ~/bin. If you're using unison against a cygwin'd windows machine, then grab version 2.27. That version is available on cygwin, and the binary works on Leopard.
- Intellij IDEA 7.0.1
- Colloquy.
- Groovy 1.1 rc2. Groovy 1.0 tries to fiddle with ulimit, which borks. If you must have 1.0, you can hack startGroovy.
- Little Snitch 2.0 beta. There's a public beta license key, after it expires you pay.
- Microsoft's RDC 2.0 beta
- Firefox Safari is SO fast now, haven't used it much.
- TextMate
- Cisco VPN
- iStat menus
Backups
This sucks at the moment, since there's no SuperDuper!. At a minimum, log in as your admin user and cp your standard user's .sparseimage file, then rsync /Users/Shared dir (your mp3's and movies are there, remember?).
Coming soon - Lock Your Firmware
This sucks at the moment, since there's no SuperDuper!. At a minimum, log in as your admin user and cp your standard user's .sparseimage file, then rsync /Users/Shared dir (your mp3's and movies are there, remember?).
Coming soon - Lock Your Firmware
1 comment:
One modification based on feedback about time machine not operating smoothly with file vault protected accounts (posting) is to create a smaller encrypted disk image and put sensitive data there, rather than encrypt everything.
The other issue i've noticed with secure installation is that the Microsoft Office updater doesn't run properly unless run from admin account.
but other than that, i've been running with it happily for a few weeks now.
Post a Comment