debian: do not add user to sudo group, lock root account

The qubes-core-agent-passwordless-root package ships sudo configuration,
adding to sudo group isn't needed.

Basically revert all changes made by qubes-core-agent-passwordless-root
installation.

Fixes QubesOS/qubes-issues#4015

debian/qubes-core-agent-passwordless-root.postrm

@@ -38,6 +38,9 @@ set -e
 
 if [ "${1}" = "remove" ] ; then
     gpasswd -d user sudo
+    if [ "$(passwd -S root|cut -f 2 -d ' ')" = "NP" ]; then
+        passwd -l root
+    fi
 fi
 
 

debian/qubes-core-agent-passwordless-root.preinst

@@ -35,7 +35,6 @@ set -e
 
 if [ "$1" = "install" ] ; then
     usermod -p '' root
-    usermod -a --groups sudo user
 fi
 
 # dh_installdeb will replace this with shell code automatically