so, if the attacker can execute programs on the users machine, the game is lost ... this never made any sense to me , I don't get it

You seem to live in a world where every user "owns" its machine. While this is common at home, quite the opposite is true in business and educational environments. Lots of machines are managed by a few administrators, and the users have only limited privileges on the machines.

Some of the users want to have more control over their machines, but don't want to go the official way to get more privileges - for example, because the admins don't want a first-year student to gain root access on the university's fileservers.

So there are only two ways to gain root: Trick the admins into giving you root privileges, or find a bug that gives you root privileges. See https://en.wikipedia.org/wiki/Social_engineering_%28security%29 for the first way. The other way attacks programs that run with elevated privileges (cron jobs, set-uid programs), sometimes also the network or the physical security of the servers.

A program that predictably creates or deletes files in user-controllable directories while running with elevated privileges is a good target, as explained before. It becomes an even better target for an attack if the contents of the files can be influenced by the user.

Alexander

You seem to live in a world where every user "owns" its machine...

Yeah, thats just the same old hypothetical story, an admin might be fooled into running a program from user writable directory and this is bad and not merely a bad admin

I don't see any bug reports to PAR/PAR::Packer about this

As an asides, against PAR/pp might make a good of its own

As an asides, advocating against PAR/pp might make a good thread of its own