Bluetooth LE scan as non root?

The Bluetooth protocol stack for Linux checks two capabilities. Capabilities are a not yet common system to manage some privileges. They could be handled by a PAM module or via extended file attributes. (see https://elixir.bootlin.com/linux/v5.8.10/source/net/bluetooth/hci_sock.c#L1307)

 $> sudo apt-get install libcap2-bin

installs linux capabilities manipulation tools.

 $> sudo setcap 'cap_net_raw,cap_net_admin+eip' `which hcitool`

sets the missing capabilities on the executable quite like the setuid bit.

 $> getcap !$
 getcap `which hcitool`
 /usr/bin/hcitool = cap_net_admin,cap_net_raw+eip

so we are good to go:

$>hcitool -i hci0 lescan
Set scan parameters failed: Input/output error

Yeay, your BT adapter does not support BLE

$>hcitool -i hci1 lescan
LE Scan...

This one does, go on and press a button on your device.

Ok, at least I partially discovered why hcitool requires root privileges for a LE scan but not for a normal scan. Partially means, that I located the system call which fails due to insufficient privileges when running the LE scan as a normal user.

The "Operation not permitted" error is generated by a writev system call, with the call stack locking as follows (all functions implemented in hci.c, see the bluez source code):

hci_le_set_scan_parameters -> hci_send_req -> hci_send_cmd -> writev

The normal scan ("hcitool scan") apparently does not need to send any requests to the controller, but uses a dedicated ioctl request, calling:

ioctl(dd, HCIINQUIRY, (unsigned long) buf);

It seems that write access to the bluetooth controller is restricted, but why and how can I deactivate that?