For Debian install libcap2-bin
For superuser ports, try setcap cap_net_bind_service=+eip /path/to/program
Also can do setcap cap_ipc_lock,cap_sys_nice=+eip /usr/bin/jackd and enjoy realtime scheduling in jack. You can also do this for alsaplayer to enable the realtime option there.
If you want to use wireshark from a non-root account, do setcap cap_net_raw=+eip /usr/bin/dumpcap. Now you can run wireshark from a normal account and choose to capture from the network.
+eip gives the capability to the program regardless of what user runs it.
Use of +ei instead of +eip is recommended to restrict access to only executing processes that have been granted an inheritable capability.
This is generally set by root processes as they create new user or service sessions.
For a user account placing in /etc/security/capability.conf the contents:
cap_net_admin,cap_net_raw,cap_sys_nice,cap_ipc_lock
userConfigures user so that when running things with an +ei they convert to +eip and are active.
Capability status can then be checked with /sbin/getpcaps $$
Also, systemd can give has the same feature in service units, this is AmbientCapabilities=
Example, let apache2 run cgi scripts that call programs that make raw sockets such as etherwake;
We can merge into /etc/systemd/system/apache2.service.d/override.conf