The special file /dev/io is a controlled security hole that allows a process to gain I/O privileges (which are normally reserved for kernel-internal code). Any process that holds a file descriptor on /dev/io open will get its IOPL bits in the flag register set, thus allowing it to perform direct I/O operations. This can be useful in order to write userland programs that handle some hardware directly. Note that even read-only access will grant the full I/O privileges.
In addition to any file access permissions on /dev/io, the kernel enforces that only the super-user may open this device.