you can use

setcap cap_net_raw,cap_net_admin=eip /usr/sbin/lft
you get setcap with the pkg libcap2-bin

to allow users to run /usr/sbin/lft