Preserve Linux Capabilities in Debian Package

Question

I'm building a package containing a web service that needs to listen on port 443. The service itself is written in Go, so I can't use authbind to manage the port permissions. Instead, I've opted to use setcap:

me@buildbox $ setcap CAP_NET_BIND_SERVICE=+eip opt/myservice/myservice
me@buildbox $ getcap opt/myservice/myservice
opt/myservice/myservice = cap_net_bind_service+eip

However, this capability is not preserved when I install the package on my servers.

me@myserver $ apt-get install myservice
...
# installs normally
...
me@myserver $ getcap /opt/myservice/myservice
me@myserver $ # ^ No output == no capabilities

I really don't want this service to be run as root ever, but I'm having trouble coming up with a solution that is preserved when the package is installed. Can I somehow set capabilities in a debian package? Is there another method that achieves the desired end result (service can bind to port 443, but doesn't run as root).

Answer 1

User Zoredache answered this in the comments. I'm posting this answer to make sure that people finding this question are aware that the problem was resolved.

In the debian package, I added a postinst file to DEBIAN/, which dpkg executes after copying files to the filesystem. The postinst contains the following:

#!/bin/sh
set -e
setcap CAP_NET_BIND_SERVICE=+eip /opt/myservice/myservice

This worked for me. I don't remember now, but I believe the package did need to be installed by a user with sudo access on the destination machine.