I’ve had Leopard fully installed and running now for about 2 weeks, enough time to get to know it pretty well, and I like what I see so far. Unfortunately, I was one of the unlucky few that preordered and received a defective Family Pack DVD. This was a quite frustrating experience, but a trip to the Apple Store to exchange for a new disk remedied that problem, and I was off and running. My views tend to focus more on the nuts and bolts - what goes on under the hood. So, some of the features I talk about aren’t the ones you’ll hear about in Apple’s glossy advertisements. Since it took me longer to get this out than I originally anticipated, some of this is already well known, but some isn’t. Anyway, without further ado, my observations after about 2 weeks of Leopard:

1. Naming Services Changes
   NetInfo was officially supposed to die with Leopard, and, with great joy, it has. The replacement is very interesting. There was speculation that there would be a local copy of OpenLDAP slapd running with the naming information for each machine, but they did not choose to go this route. Instead, each “node” of the various naming services (each machine entry, user entry, group entry, etc) for the local naming services database is a plist file. Take a look at /private/var/db/dslocal. This is where the local directory info is stored. Under the nodes directory is where each directory type (machines, users, groups) is stored, and inside each directory are the plist files containing the entries.
2. Local Kerberos KDC
   I can’t see that anything is actually making use of it as of yet, but Leopard is running its own local MIT Kerberos KDC. The configs live in /var/db/krb5kdc. If you look at the plist file for a local user in /var/db/dslocal, you’ll see that the AuthAuthority attribute (the attribute used by Open Directory to determine how to authenticate a user) even contains a Kerberos listing for the local KDC along with the standard ShadowHash entry.
3. StartupItems is gone
   One of the very welcome enhancements is the removel of any stock services relying on StartupItems, the pre-Tiger way of starting up services. Everything has finally been moved to launchd control, with the exception of a couple of mach_init services. I also noticed that there are quite a few more entries in the system LaunchDaemons directory, and the system LaunchAgents directory is also heavily populated (where the system LaunchAgents directory in Tiger was empty on install). Since launchd is the application launching platform for the system, its interesting to note that launchctl list now displays all processes, daemons, and agents launched for a user instead of just the managed LaunchDaemons/LaunchAgent jobs.
4. ACLs on by default
   Filesystem ACLs are enabled by default now, and some good default ACLs are applied to certain folders (/Applications, /System, home directories, etc) that keeps anyone from accidentally deleting them. See the chmod man page for how to edit ACLs from the command line. Beyond that, the Get Info dialog in Leopard has received a workable update to allow editing ACLs from the GUI.
5. Quarantining of Internet downloads
   This one is kind of interesting. It was one of the touted items in Apple’s list of 300 updates. I don’t know yet if this is implemented in one of the Frameworks or the kernel, but this appears to be enforced using a filesystem extended attribute. On downloaded files, the system applies the com.apple.quarantined extended attribute to the file (or files in the case of a bundle, etc). The system looks for this attribute when executing a program, and, if present, displays the are-you-sure dialog. If you answer “Yes”, Leopard clears that extended attribute, and the file is cleared to run.
6. Firewall
   The Leopard firewall has already received quite a bit of attention. The firewall is completely renovated in Leopard. The Tiger firewall was based on the ipfw subsystem. Tiger would keep track (via plist files) what ports were used by default in certain applications and open them when the service was activated from the Sharing preference pane. ipfw, however, is based on the standard port/address/etc rules system that most firewalls are. ipfw is still there, but it only contains a single rule no matter how Leopard is configured by the GUI: allow all. This is because the default firewall is now an application based firewall, the daemon of which is /usr/libexec/ApplicationFirewall/socketfilterfw. There is a corresponding kernel extension com.apple.nke.applicationfirewall. The ALF (Application Level Firewall), from what I can tell, has a list of allowed applications and watches for any socket requests for that application and allows them and opens ports for them, etc. If the application opens a Listen port, you’ll see a popup asking if you want to allow the application to listen. I have mixed feelings about the ALF so far, as do many others. On the surface, its a very good thing, closing ports unless they’re allowed explicitly, and indeed, it may be a pretty good improvement over the way the firewall was handled in Tiger for the average user. Its not extensible enough yet, though. As a network administrator, I routinely allow port access to machines from specific networks, etc. The ALF is not smart enough yet to do that, as it only knows whether or not an application is allowed to talk to or listen to the Internet in an all-or-nothing fashion (at least from what I’ve seen so far). For a truly robust one-two punch firewall, it looks like both the ALF and ipfw utilities may be necessary. With the combination of the two, however, things can be locked down very tightly. If a ruleset system could be applied to the ALF such that applications could be locked down in a more fine-grained fashion, it would be a killer firewall, especially if those settings could be distributed via Open Directory.
7. Networked filesystems updates
   First of all, the SMB/CIFS mounter now uses the newer CIFS ports: 445. This is a welcome update since some enterprises are disabling the older and chattier NetBIOS subsystem on Windows machines. In additon, there are a couple of other gotchas to look out for here. The SMB/CIFS mounting has been overhauled, and one thing to keep in mind is that it now appears to support the UNIX CIFS extensions. This means that if you’re using a Samba server to serve your Leopard clients, and you haven’t disabled the UNIX CIFS extensions in Samba, Leopard will see the actual symbolic and hard links instead of simply seeing a link as the file it links to. This took me off guard, and may take quite a few other sysadmins off guard as well. Second of all, a very updated automounter system is now present, including something UNIX admins are used to seeing: a /net directory for dynamic host mounts and an automounter-controlled /home directory. In addition, the Directory Utility will now let you easily specify directory service-based mount points on your local system (basically local automounter maps). I don’t know yet if they’ve ditched the old /Network/Servers automounting system for this more standardized approach, but I’m willing to bet the older approach is still there. Hopefully the automounted /home directories will be candidates for use with Portable Home Directores. I’ll be looking into this very soon. Finally, for NFS updates (which I haven’t personally tested but are welcome), the NFSv3 subsystem is now includes Kerberos authentication as an option, allowing more secure NFS mounts, and NFSv4 is supposed to be coming to Leopard at some point.
8. Account defaults changes
   In Leopard, Apple has departed from the old standard of creating a group for each user. My guess is that this is, at least in part, due to the fact that ACLs are now enabled by default, meaning that careful manipulation of your umask is not as much of a requirement as it once was to insure that all users who needed write access to files and directories maintain that access.
9. ssh-agent Enabled
   This is another item that’s been pretty well covered by some folks aready. Leopard now enables the ssh-agent on accounts, and it will store the passphrases for your SSH identity files in your keychain. This is a welcome update and mitigates the need for SSHKeychain to a large extent, though SSHKeychain is very handy for creating port forwarding tunnels.
10. Network configuration
    While there have been some issues surrounding the new network configuration system, overall, I like it very much. Apple did a good job of cleaning up the interface and aggregating all of the network configuration items into one place. The old system of having Internet Connect as well as the Network preferences pane was indeed a pain at times. Now that its all in the same place, things are much cleaner.Being a wireless and security aficionado, I was very interested in their updates to the 802.1x interfaces in Leopard. This has been one place where the initial use was a bit rocky, but I like what they’ve done with it. Now, you can set up per-system authentication credentials, per-user credentials, or, for a nice option for Enterprise machines, you can tell it to use the credentials supplied in the Login Window as the network authentication credentials. On top of that, 802.1x is now a GUI option for wired ethernet networks as well. I’ve said for a long time that I expect to see more use of that going forward, and this makes it easier for the Mac OS X users to live in that environment.Finally, while you could do this before from the command-line, it is now possible to set up VLAN or bonded ethernet interfaces from the Network preference pane. This will be of little use to some, but the ability to easily define VLAN interfaces is definitely of use to me from time to time.
11. Directory utility
    Leopard now includes a Directory application in the Utilities folder, used for searching any directories set up in Mac OS X. I have yet to set up a directory and play with it, but I intend to. From what I can tell, it basically is a directory search tool for anyone looking for items in the central directory (machines, users, groups, etc) - basically a poor man’s LDAP browser, but it could prove pretty useful for that quick directory search.
12. Mail
    As far as actual user applications go, this was the one I was looking for updates in the most. I’m a Mail user simply because I like the interface and integration with the other Mac OS X applications, but Mail always had a few things that nagged me. The first was no ability to forward an email as an attachment. As a postmaster, this was one of only a couple of items that could always force me to use a different email application for particular purposes. Now, Apple has finally decided to grace us with this ability, which is a godsend. Now, if they would only let you select that as a default option instead of hiding it in the menus.The second nag, and one that actually cause me to write my own Mail plugin, was the lack of IMAP folder subscriptions. Previously, Mail would simply show all IMAP folders you had access to (all folders showing up from a LIST IMAP command). In an environment where there are lots (and I mean LOTS) of folders, this would take Mail.app down hard as it tried to index them all. Now, Mail does include IMAP subscription capability, but how they do it is interesting, like they’re being smart about it. Mail pays attention to the IMAP Namespace. When you go in to subscribe to folders, Mail presents you with a list of folders from the shared folders namespace. So, basically, Mail will always display all of your personal/INBOX folders, but will only show you the subscribed folders from the shared namespace. In some ways I like this, and in others I don’t. It would be nice if you could turn that feature off, because there are times when I have archival IMAP folders that I don’t necessarily want to be subscribed to. On the other hand, Mail now includes archival ability. As you can see, I’m still torn on this, but its definitely much better than it was before, and now very much workable.Mail also seems much faster. My take on this is that Apple may have allowed multithreaded access to the Envelope database. In Mail, the Envelope database that contains the headers of all of the indexed messages, is an SQLite database. In Tiger Mail, it seemed that access to this database was very serialized. For instance, if you switched folders, and Mail was in the middle of a sync operation, your display would hang until the operation was done. That doesn’t seem to be the case anymore, which means that SQLite locking use in Mail is probably much better such that Mail can read the tables while some other thread is still writing to them.Finally, I do like the Activity Viewer pane in the bottom left, and I’m using the heck out of the new Notes feature, but I’m still loathe over the fact that Mail offers no way of doing mail identities. As a sysadmin, I often send mail from various addresses (postmaster, hostmaster, etc). With a standard IMAP account, you still have to hack the com.apple.mail.plist file directly to be able to send mail from those addresses (and even when you do that, you can’t change the “real name”, only the From email address).
13. iCal
    Last, but not least, there’s iCal. Several of my issues with Tiger’s iCal have been addressed. iCal now supports https calendar subscriptions, which is important when using authenticated web servers. iCal also seems to have addressed some time zone problems when interacting with Microsoft Outlook clients. With CalDAV support in Leopard’s iCal, version 5.0 of Zimbra should be an even bigger win for Mac OS X users than it is now.