I'm using Go to create a kind of custom client for Docker. It parses a YAML file, creates the containers with some hard-coded options and then creates terminal windows in order to be able to interact with the containers. However, I'm struggling with the last part, the creation of the terminal windows.
I want my program to use setuid to avoid users to use sudo or be part of the docker group, as that could make them able to use directly the Docker CLI. Instead, I want them to only use my program to manage Docker containers. To create the terminal windows, I was using the os/exec package to call the terminal emulator, which it would create several tabs for each container. For example, the executed command would be: xfce4-terminal -e "sh -c 'docker container attach container1; exec sh" --tab -e "sh -c 'docker container attach container2; exec sh" (the last part, exec sh, is added so the tab can be used after stopping the container)
This doesn't work because xfce4-terminal, like gnome-terminal or terminator, are GTK+ apps and they don't allow setuid execution. I tried to use cmd.SysProcAttr to set the real UID and GID while creating the terminal windows, but then the docker attach command fails as the user doesn't belong to the docker group. Finally, I tried using sudo, but this has the problem that, after stopping the container, the user can execute commands as the root user.
As stated in the GTK website, I believe that the way to go would be to call the client.ContainerAttach function of the Docker SDK and pass the output to the non-setuid terminal through a pipe. But I don't know how I should implement this, so that's why I'm asking for your help.
I'd be happy too if you provide me a solution that doesn't use pipes or that stuff but it has the desired behaviour, that is, create one terminal window with N tabs, one for each container (or N terminal windows, both are good to me).
Thanks in advance!