How to make Mac OS X well-behaved unix system
Scope of this how-to is an installation of Mac OS in a more secure manner, making Mac OS an regular UNIX system, geeks are used to. Featuring system disk encryption, and ports system installation. This guide is written for Mac OS X 10.7 Lion -- but remember: since Rosetta is missing, Lion won't run any older PPC application (even not FCP 6). 1] clean install ============== First we have to do a clean installation of Mac OS X. It's not quitte usual, because Mac OS X doesn't require constant reinstallation as seen on Windows. But since we don't know all the software on the computer, we acquired (it might be even second hand mac), let's do a clean format of system drive and clean installation of Mac OS, focused on sanity. 1a] get installation media (ISO or DVD) // in case of Mac OS X 10.7 Lion around 4.5 GB 1b] prepare flash disk with install media // you can burn the iso image on dvd as well // if the iso image is bigger than 4.5GB, use dual-layer DVD Under Disk Utility (Applications/Utilities) first erase the flash drive (filesystem Mac OS Extended) Then click "restore" and in "Source" drag-and-drop .iso file with installation media. In "Destination" drag-and-drop the flash drive. Click "Restore". // optionaly, if you know how, you can do with "dd" command-line tool // // if there are problems with Disk Utility, you'll have to resort to dd // anyway: // // dd bs=1M if=source_media.iso of=/dev/yourflashdrivedevice // // // mac os x 10.7 cannot dd if flash stick was ejected using GUI // instead of it, use: // // hdiutil umountDisk /dev/yourflashdrivedevice 1c] Boot up from the flash disk or DVD. Insert the media, hold ALT (Option) key during early startup. Menu appears -- choose an installation media here and wait till it boots. 1d] Disconnect the Internet. Unplug the Internet connection cable (if any). Since we don't have the computer network interface under control, we won't allow Apple.com to mess up with our computer during installation. // Optionally you can disable the Internet connection on upstream firewall. // Unplugging the computer and checking unavailibility of wi-fi is safe. 1e] Let's format the system disk. (Mac OS X calls it "Erase"). In the installation software, there is a menu on the top of the screen, similary to the rest of Mac OS X. Choose Utilities > Disk Utility. Erase the system disk using Erase function of Disk Utility. Choose filesystem "Mac OS Extended" (case-sensitive, journaled, encrypted). // Journal will help you in case of sudden loss of power. // Case sensitivity is the feature of modern UNIX system, so let's use it. // If you select 'encrypted', your system drive will be encrypted and // password asked during boot -- this can avoid annoying problems with // filevault2 installation (especially when you miss a Recovery HD) Under "Security options" you can choose the method of formating the drive. Previous data can reside onto the disk even after format, if they are not overwritten. Choose precission (safety) of formatting. The more paranoia, the more rewrittes. // Single pass rewrite (zero out data) lasts around 2 hours on 1TB drive. 1f] Then install the system. Easy as intended in Redmond and Cupertino. 2] privilege separation ===================== During installation, you will be asked for first user's name. It's important to separe "normal user account" for daily work and "administrator account". Only later will have permissions to change the system and any time, you'll be doing something with system settings or files, you'll be asked admin's password. So first create 'master' (or whatever name) account, user account can be created later. 3] application firewall ==================== After fresh installation, install a firewall software. You can use UNIX firewall built into Mac OS X, or use application firewall GUI called Little Snitch (or it's clone, "Hands Off!"). This will prevent the system to talk over the Internet behind your back, based on rules set for particular applications or daemons. In Little Snitch configuration I disable the default rules for: Any connection to icloud.com App Store AppleIDAuthAgent applepushserviced quicklookconfig storeagent XProtectUpdate I won't use any of those service, especially not Apple Store and icloud, since I affraid of data leak. During the time, some other attempts of system services to connect elsewhere out occur. Just judge carefuly, which you want to allow. // Little Snitch in recent versions does have strange functionality -- it // prevents to access the web all the application except itself. Someone // who used cracked version, was surprised by LS connecting the developer // site and checking serial number, even when forbidden by it's own rules. // Code obfuscation was employed, according to reverse enginers. LS clone // "Hands Off!" doesn't seem to exhibit these features. // https://sentinelone.com/blogs/shut-snitch-reverse-engineering-exploiting-critical-little-snitch-vulnerability-reverse-engineering-mac-os-x/ 4] software update ================ Apple in the corner > Software Update ... If you wish. This will make an traceable request to apple's servers. On the other hand, this is the only official way, how to patch known system bugs. // lion is the last version of mac os x, which doesn't use appstore to // update software // to install updates on command-line, see: // http://osxdaily.com/2011/01/13/install-mac-os-x-software-updates-terminal/ 5] xcode ====== Mac OS X is equiped with some standard unix tools (ad it's an unix, based on freebsd actually), but missing compilers and header files. Those you can get under the name Xcode and especially "Xcode commad-line tools" from developer.apple.com. // http://www.linuxforu.com/2013/04/os-x-command-line-tools/ Since the download requires registration and licence agreenments, you can consider other ways of getting. // don't forget to get the right version: // mac os x lion and mountain lion = xcode4 // mac os x snow leopard = xcode3 7] macports ======== Now you can install "macports" from www.macports.org. Macports is ports collection for Mac OS X, which allows you to install all your favorite CLI soft. Key command is "port", which has to be executed as admin (or root). sudo port selfupdate // synchronise ports collection via rsync sudo port search packagenamewhatever // search for port in a local ports database sudo port install packagenamewhatever // installs a package all the ports are installed under /opt/local you should add a PATH /opt/local/bin and /opt/local/sbin and MANPATH variable to your shell configuration then the ports commands will be executed properly to keep the installed ports up-to-date, you can run sequence: sudo port selfupdate sudo port upgrade outdated time to time. it downloads the updated sources for all the installed ports and rebuilds them. it sometimes stucks on some port, then use -vvv command option top debug the problem or try to deinstall or upgrade problematic port individually. to clean up the source codes and make a more disk space, use: sudo port clean all and sudo port uninstall inactive 7a] hints for advanced: =================== * if you wish all the ports built from source (and avoid downloading pre-compiled packages), change setting to: buildfromsource always in: /opt/local/etc/macports/macports.conf * to speed-up building, you can disable spotlight indexing of all the source files (in most cases unnecessary) and portfiles in: System Preferences > Spotlight > Privacy add /opt/local/ * since there are few security updates provided by apple for basic tools, you can choose to prefer port versions, by putting /opt/local/bin and /opt/local/sbin in your PATH setting *before* /bin /sbin /usr/bin and /usr/sbin 8] get the root ============ Boot into single-user mode (press Apple-S), do fsck and remount system read-write, as suggested on the screen. Then: passwd // change the root's password reboot // You can do this with any Mac machine you meet 9] recovery partition =================== Out of factory, Apples are equipped with 'Recovery HD' hidden partition which can be booted pressing CMD+R, during startup sound (or by pressing ALT and choosing 'recovery hd'). On a brand new disk, the installer (10.7.X) won't create Recovery partition itself, but can be created manually. Usable if problems occur, you still have an emergency system with terminal, disk utility, bios password utility etc. // Receipe in CLI: // http://apple.stackexchange.com/a/52916 10] full disk encryption ==================== If you wish, you can experiment with FileVault2, Apple's Full disk encryption system. But please keep in mind that it's proprietary software which may contain backdoors (unknown masterkey or so) and thus shouldn't be considered secure. It's also dependent on the strenght of password (use long one). commands to explore: # basic commands list diskutil corestorage or diskutil cs # list the volumes diskutil corestorage list #encrypt disk diskutil corestorage convert /dev/diskXsX -passphrase #where /dev/diskXsX is a drive to encrypt and password is asked #take it back, if confused diskutil revert XXX-XXXX-XXXXX-XXXXXX # where XXX is UUID got from diskutil corestorage list you can encrypt even the boot disk, you need a recovery partition on the drive to do so. you'll be asked disk password during boot. details: // http://blog.fosketts.net/2011/08/05/undocumented-corestorage-commands/ and man diskutil 11] goodies ======== a] verbose boot sudo nvram boot-args="-v" // set "verbose" mode on boot-up -- this will show all the text output // during the boot, not only the white screen with bio-degradable waste b] locale if you want your terminal to work properly with utf-8 encoded chars, you should set your locale to utf-8 something. furthermore, you can get strange tar error messages during some software installation: tar: Failed to set default locale that's the locale problem. // if you are using tcsh, set following in ~/.tcshrc: setenv LC_ALL en_US.UTF-8 setenv LANG en_EN.UTF-8 // and check by command: locale output should be something like this: LANG="en_EN.UTF-8" LC_COLLATE="en_US.UTF-8" LC_CTYPE="en_US.UTF-8" LC_MESSAGES="en_US.UTF-8" LC_MONETARY="en_US.UTF-8" LC_NUMERIC="en_US.UTF-8" LC_TIME="en_US.UTF-8" LC_ALL="en_US.UTF-8" /////// REMARK Overall impression of Lion OS is comming dependency on Apple's services. AppStore, iTunes, iCloud and others will be built into your computer. You will be offered to store ('backup') data on apple's servers, disclose your contacts, personal information, telephone and card numbers to os's manufacturer in a near future. EOF Comments requested ~~~~~~~~~ Binary Sxizophreny - index of comp related stuff Kangaroo's Homepage (czech)