firstboot: create locked and empty root passwords consistently

Although locked and empty passwords in /etc/passwd are treated the same, in all
other cases the entry is configured to read the password from /etc/shadow.

(cherry picked from commit 5088de9daa156a095e79684c658f9035db971538)
(cherry picked from commit 21d270d38f821915949e3c13950637994c33d34f)

src/firstboot/firstboot.c

@@ -1137,10 +1137,13 @@ static int process_root_account(int rfd) {
                 password = PASSWORD_SEE_SHADOW;
                 hashed_password = _hashed_password;
 
-        } else if (arg_delete_root_password)
-                password = hashed_password = PASSWORD_NONE;
-        else
-                password = hashed_password = PASSWORD_LOCKED_AND_INVALID;
+        } else if (arg_delete_root_password) {
+                password = PASSWORD_SEE_SHADOW;
+                hashed_password = PASSWORD_NONE;
+        } else {
+                password = PASSWORD_SEE_SHADOW;
+                hashed_password = PASSWORD_LOCKED_AND_INVALID;
+        }
 
         r = write_root_passwd(rfd, pfd, password, arg_root_shell);
         if (r < 0)

test/units/testsuite-74.firstboot.sh

@@ -189,7 +189,7 @@ echo -ne "\nfoobar\n" | systemd-firstboot --root="$ROOT" --prompt-hostname
 grep -q "foobar" "$ROOT/etc/hostname"
 # With no root password provided, a locked account should be created.
 systemd-firstboot --root="$ROOT" --prompt-root-password </dev/null
-grep -q "^root:!\*:0:0:" "$ROOT/etc/passwd"
+grep -q "^root:x:0:0:" "$ROOT/etc/passwd"
 grep -q "^root:!\*:" "$ROOT/etc/shadow"
 rm -fv "$ROOT/etc/passwd" "$ROOT/etc/shadow"
 echo -ne "\n/bin/fooshell\n" | systemd-firstboot --root="$ROOT" --prompt-root-shell
@@ -240,7 +240,7 @@ grep -E "[a-z0-9]{32}" "$ROOT/etc/machine-id"
 rm -fv "$ROOT/etc/machine-id"
 
 systemd-firstboot --root="$ROOT" --delete-root-password
-grep -q "^root::0:0:" "$ROOT/etc/passwd"
+grep -q "^root:x:0:0:" "$ROOT/etc/passwd"
 grep -q "^root::" "$ROOT/etc/shadow"
 rm -fv "$ROOT/etc/passwd" "$ROOT/etc/shadow"