Mavericks Update:Setting A Default Paper Size

printerThe Mac Admin reader David noted that the preference file and key referenced in Setting A Default Paper Size no longer manages the default paper size setting in OS X v10.9 Mavericks.

The new file is
~/Library/Preferences/org.cups.PrintingPrefs.plist

This makes the new preference domain: org.cups.PrintingPrefs

The Key that governs the preference remains the same: DefaultPaperID

The values remain the same, repeated below for your convenience.

Paper Size String
US Legal na-legal
US Letter na-letter
A4 iso-a4
A5 iso-a5
JIS B5 jis-b5
B5 iso-b5
Envelope #10 na-number-10-envelope
Envelope DL iso-designated-long-envelope
Tabloid tabloid
A3 iso-a3
Tabloid Oversize arch-b
ROC 16K roc16k
Envelope Choukei 3 cho-3-envelope
Super B/A3 arch-b-extra

Custom Paper Sizes

printerIn response to a reader request, here’s how to create custom paper sizes.

This is another item governed by a hidden preference file.  The preference file that governs custom paper sizes is

~/Library/Preferences/com.apple.print.custompapers.plist

This file does not exist until custom paper sizes have been created.  Let’s have a look at the contents of a preference file that defines one custom paper size – 4″ x 6″ borderless paper.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
     <key>4x6 Borderless</key>
     <dict>
          <key>bottom</key>
          <real>0.0</real>
          <key>custom</key>
          <true/>
          <key>height</key>
          <real>432</real>
          <key>id</key>
          <string>4x6 Borderless</string>
          <key>left</key>
          <real>0.0</real>
          <key>name</key>
          <string>4x6 Borderless</string>
          <key>printer</key>
          <string> </string>
          <key>right</key>
          <real>0.0</real>
          <key>top</key>
          <real>0.0</real>
          <key>width</key>
          <real>288</real>
     </dict>
</dict>
</plist>

The first three lines identify the file as an Apple preference file.  The fourth line, “” is a dictionary tag.  Dictionary tags are used as containers for preference keys.  A dictionary is an unordered list of keys, whereas its counterpart – the array, is an ordered list of keys.

The fifth line is the first key in this preference file.  In com.apple.print.custompapers, this key is used to define the custom paper size.  This key’s value, starting on the sixth line is another dictionary containing the details for this custom paper size.  Each key is followed by its value.  See the table below for definitions of each of these keys.

Key Value
bottom Bottom margin, expressed in PostScript points*
custom The value “true” indicates this is a custom setting.
height Paper height, expressed in PostScript points*
id The setting’s identifier
left Left margin, expressed in PostScript points*
name The setting’s name
printer Unknown, possibly used to tie settings to individual printers
right Right margin, expressed in PostScript points*
top Top margin, expressed in PostScript points*
width Paper width, expressed in PostScript points*

*1 inch = 72 PostScript points.  Here are some handy Google search terms: “1 inch postscript point”, “1 centimeter postscript point”.

Crafting a custom paper size dictionary by hand requires a bit of arithmetic to translate the PostScript points to more familiar units and the dictionary syntax can be a bit fiddly for some administrators.  A useful shortcut would be to use the GUI to create the custom paper size entry on a test computer, then harvest the dictionary from the resulting preference file.  Once you have the dictionary, you could use it in a Configuration Profile or Managed Preference.

Setting A Default Paper Size

printerThis post is in response to a reader request.

In Mac OS X, the default paper size is a setting that determines the size of paper that applications will try to print to unless the user chooses otherwise. For most systems and applications this defaults to US Letter.  In order to provide a positive user experience, especially for end users outside of the United States, it may be desirable to set a different default paper size.

The file that contains this preference is:
~/Library/Preferences/com.apple.print.PrintingPrefs.plist

This makes the preference domain: com.apple.print.PrintingPrefs

The Key that governs the preference is called : DefaultPaperID

DefaultPaperID contains a string value that corresponds to a paper size. See the chart below:

Paper Size String
US Legal na-legal
US Letter na-letter
A4 iso-a4
A5 iso-a5
JIS B5 jis-b5
B5 iso-b5
Envelope #10 na-number-10-envelope
Envelope DL iso-designated-long-envelope
Tabloid tabloid
A3 iso-a3
Tabloid Oversize arch-b
ROC 16K roc16k
Envelope Choukei 3 cho-3-envelope
Super B/A3 arch-b-extra

To set this preference with a script use the command below, replacing with the correct string for the intended paper size.

For a single user, run as the user:
defaults write ~/Library/Preferences/com.apple.print.PrintingPrefs DefaultPaperID

For all users, run as root:
defaults write /Library/Preferences/com.apple.print.PrintingPrefs DefaultPaperID

This process has been tested on Mac OS X v10.6 (Snow Leopard), v10.7 (Lion) and v10.8 (Mountain Lion).

I hope you find this useful.

Printing For Non-Admins In Leopard

printerThis is a topic I’ve seen covered in many places, however most of the articles I see on this topic only get part of the solution or solve it in a way that creates unnecessary security issues.  In light of this, I’ve decided to talk about what I consider to be the best practices on the subject and the reasons why.

Why Did Apple Limit The Printing System?

Unless you know why Apple imposed security restrictions on the printing system, it seems pretty silly and detrimental to users.  After I understood the reasons behind the change, it made a lot of sense.

When you add a printer in CUPS (Common UNIX Printing System, the printing software under the proverbial hood) and specify a PPD file for that printer, the PPD file can, and often does, run software as root.  This function of the printing system could be used to run malicious code.  To help mitigate this risk, administrator authentication is required if the logged in user is not an administrative user or if the “Require password to unlock each System Preferences pane” box has been checked in the Security System Preferences Pane.  None of this is an issue in the “typical” home computer installation since there is only one user and that user is an administrator.  For environments that require extra security, indicated by having standard (non-admin) user accounts and/or system preference restrictions, this vulnerability is closed.

Make A Spare Key; Don’t Remove the Door

Many of the blogs and forum posts I’ve read on this subject advocate the removal of CUPS security features.  If this sounds like a good idea, ask yourself this; if you wanted to give someone access to your home, would you take your front door off its hinges or give this person a key?  I think the answer is clear.

Understanding The Lock

Before we can make our “spare key”, we need to understand how the lock works.  to do that, we’ll look at the default CUPS configuration file, found at /private/etc/cups/cupsd.conf and how it defines CUPS Operation policies.  Every Mac OS X Leopard installation includes detailed documentation on this subject at http://localhost:631/help/policies.html (link opens in a new window)  For our purposes, we’ll look at the specific section of the cupsd.conf file that covers adding, deleting and setting default printers, but this URL is your best reference for CUPS operation and configuration.

# All administration operations require an administrator to authenticate...
     <Limit CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class
CUPS-Delete-Class CUPS-Set-Default>
          AuthType Default
          Require user @SYSTEM
          Order deny,allow
     </Limit>

The line that reads Require user @SYSTEM is what dictates that administrative authentication is required.

Making the Spare Key

Many people are recommending deleting or commenting out this block of text. This is the equivalent of taking the door off of the hinges that I mentioned. Instead, we can modify this block to grant permission to groups that we define, rather than removing the security feature. If we add user or group names to the line that reads Require user @SYSTEM, those users and members of those groups will be granted the add, delete and set default permissions. See the example below…

# All administration operations require an administrator to authenticate...
     <Limit CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class
CUPS-Delete-Class CUPS-Set-Default>
          AuthType Default
          Require user @SYSTEM @admin @lpadmin @mycustomgroup
mycustomuser
          Order deny,allow
     </Limit>

This modification allows the members of the admin, lpadmin and mycustomgroup groups and the user mycustomuser to add, delete and set default printers. Group names require the preceding “@” character, usernames do not.

Going Further

There are other default policies in the default cupsd.conf file that govern pausing & resuming queues, holding & deleting print jobs, etc. These policies can be modified in the same way. The CUPS help file (link at the top of this article) contains details on 38 different printing system operations that can be governed by the cupsd.conf file and detailed instructions on creating your own policies within the file. Using that information, you should be able to configure virtually any required or desired security settings.