Updated guide to use cupsctl

[rabbitt]

Use cupsctl to make cupsd config changes, and lpstat -W completed -o in a cronjob to ensure configured pruning without purging active jobs.

[sunknudsen]

Hey @rabbitt, thanks for contributing to the privacy guides.

Using cupsctl is way cleaner than using heredoc… great contribution. I see changes are essentially written to /etc/cups/cupsd.conf without requiring sudo. 🙌

I believe launch daemon step is required to make sure cupsd.conf is not overwritten during macOS updates… what do you think?

[rabbitt]

Hey @rabbitt, thanks for contributing to the privacy guides.

My pleasure!

I believe launch daemon step is required to make sure cupsd.conf is not overwritten during macOS updates… what do you think?

Sure, understanding your specific use case, I think that makes sense for you. For me, I prefer to manually reconfigure after an OS update because having a launchd service reconfigure things without my awareness, or possible consent, always makes me nervous, and is somewhat akin to "spooky action at a distance" in that I might not always expect or always want the change. Again, in your use case, it probably makes sense :-)

[sunknudsen]

Good morning @rabbitt… cleaned up PR to incorporate your recommendations while keeping original intent of guide.

Please let me know if you are comfortable with changes (and if I made mistakes).

Will merge once I get your GO.

[rabbitt]

you can use grep -q here to silence the output from grep, and rely on the status code returned depending on whether the search term was found or not, and avoid having to redirect stdout/stderr, e.g.:

# ensure idempotent operation - exit if change already exists
if cupsctl | grep -iqE 'PreserveJobHistory\s*=\s*no'; then

Also, if you wanted, you could also simplify that down to a single line:

# ensure idempotent operation - exit if change already exists
cupsctl | grep -iqE 'PreserveJobHistory\s*=\s*no' && exit 0

[sunknudsen]

Using grep’s --quiet flag is much cleaner, thanks!

Elegant one-liner… that said, if and then might be more literal for people getting started with command line (I try to use long form when possible in guides hence using --quiet vs -q flag.

[sunknudsen]

Is regular expression necessary given config is generated programatically by cupsctl?

[rabbitt]

Is regular expression necessary given config is generated programatically by cupsctl?

Probably not, I'm just paranoid 😳 lol

[sunknudsen]

Btw, love how thorough you are. 🤓

[sunknudsen]

Does lpstat -W completed -o purge job files from /var/spool/cups? Btw, not too worried about using cancel -a -x in this specific use case, but definitively worth considering.

[rabbitt]

Does lpstat -W completed -o purge job files from /var/spool/cups?

It does, and it does it according to your settings (e.g., "PreserveJobXXX" and MaxJobTime). Also, with the -W completed flag, it only cleans up completed jobs, and not active jobs.

Btw, not too worried about using cancel -a -x in this specific use case, but definitively worth considering.

Sure, I'm just thinking that people tend to blindly run commands without researching them, so I figure using lpstat is safer as it doesn't kill jobs that are actively printing or stuck, only jobs that have actually completed. Maybe include both commands and explain the difference between the two (i.e., cancel blindly purges everything, vs lpstat -W completed -o just purges completed jobs).

[sunknudsen]

Thanks for feedback… would you happen to have ideas to limit cupsctl calls while preserving command intelligibility for people who are just getting started (ideally, one command to get current state and one to update config if need be)?

My (perhaps naive) understanding is that, if above is implemented, config would be updated 3 times which would also reload CUPS same amount of times.

[rabbitt]

Here's a more thorough rewrite that is idempotent, logs changes to syslog, and only calls out to cupsctl at most once:

#!/bin/bash

set -e

function log() {
    # If no arguments, return immediately
    [[ $# -le 0 ]] && return 
    echo "$@"
    /usr/bin/syslog -s -l info "cups-privacy: $@" 
}

# store settings in bash variables so that, if we decide to change them,
# we only have to change the values in one place
PreserveJobHistory=no
PreserveJobFiles=no
MaxJobTime=5m

settings="$(/usr/sbin/cupsctl | /usr/bin/awk -f <(cat <<EOF
    BEGIN { pjh=pjf=mjt=1 } 
    /PreserveJobHistory=${PreserveJobHistory}/ { pjh=0 } 
    /PreserveJobFiles=${PreserveJobFiles}/ { pjf=0 } 
    /MaxJobTime=${MaxJobTime}/ { mjt=0 } 
    END { 
        if (pjh==1) { print("PreserveJobHistory=${PreserveJobHistory}") } 
        if (pjf==1) { print("PreserveJobFiles=${PreserveJobFiles}") } 
        if (mjt==1) { print("MaxJobTime=${MaxJobTime}") } 
    }
EOF
) | /usr/bin/xargs)"


# if nothing to change, exit 
if [[ -z $settings ]]; then
    log "Settings configured correctly; nothing to do."
    exit 0
fi

log "Updated missing or incorrect CUPS settings: ${settings}"
/usr/sbin/cupsctl $settings

[rabbitt]

Hey @sunknudsen - I'm sure you've been pretty busy, especially with holidays just past us. Wanted to follow up on this request and see if there's any thoughts on moving forward with the discussion and changes ?