diff hook: execute as the build user, and pass the temp dir

doc/manual/advanced-topics/diff-hook.xml

@@ -46,17 +46,15 @@ file containing:
 #!/bin/sh
 exec >&2
 echo "For derivation $3:"
-/run/current-system/sw/bin/runuser -u nobody -- /run/current-system/sw/bin/diff -r "$1" "$2"
+/run/current-system/sw/bin/diff -r "$1" "$2"
 </programlisting>
 
-<warning>
-  <para>The diff hook can be run as root. Take care to run as little
-  as possible as root, for this example we use <command>runuser</command>
-  to drop privileges.
-  </para>
-</warning>
 </para>
 
+<para>The diff hook is executed by the same user and group who ran the
+build. However, the diff hook does not have write access to the store
+path just built.</para>
+
 <section>
   <title>
     Spot-Checking Build Determinism

doc/manual/command-ref/conf-file.xml

@@ -252,13 +252,11 @@ false</literal>.</para>
       same.
     </para>
 
-    <warning>
-      <para>
-        The root user executes the diff hook in a daemonised
-        installation. See <xref linkend="chap-diff-hook" /> for
-        information on using the diff hook safely.
-      </para>
-    </warning>
+    <para>
+      The diff hook is executed by the same user and group who ran the
+      build. However, the diff hook does not have write access to the
+      store path just built.
+    </para>
 
     <para>The diff hook program receives three parameters:</para>
 
@@ -280,6 +278,14 @@ false</literal>.</para>
           The path to the build's derivation
         </para>
       </listitem>
+
+      <listitem>
+        <para>
+          The path to the build's scratch directory. This directory
+          will exist only if the build was run with
+          <option>--keep-failed</option>.
+        </para>
+      </listitem>
     </orderedlist>
 
     <para>The diff hook should not print data to stderr or stdout, as