Enhance user creation process in serversideup-create-unprivileged-user script by setting accounts to expired for Alpine and using a locked password for Debian, ensuring accounts remain unlocked while preventing unauthorized access.

Author: jaydrogers

src/rootfs/usr/local/bin/serversideup-create-unprivileged-user

@@ -25,14 +25,19 @@ PGID="$3"
 if [ -f /etc/alpine-release ]; then
     # Alpine
     addgroup -g "${PGID}" "${username}" && \
-    adduser -u "${PUID}" -G "${username}" -h "/home/${username}" -s /bin/sh -D "${username}"
+    adduser -u "${PUID}" -G "${username}" -h "/home/${username}" -s /bin/sh -D "${username}" && \
+    # Set account to expired but not locked
+    chage -E 0 "${username}"
 else
     # Debian
     addgroup --gid "${PGID}" "${username}" && \
     adduser --uid "${PUID}" \
             --gid "${PGID}" \
             --home "/home/${username}" \
             --shell /bin/bash \
+            --disabled-password \
             --gecos '' \
-            "${username}"
+            "${username}" && \
+    # Set a locked password that can't be used but keeps the account unlocked
+    usermod -p '!' "${username}"
 fi