UNTESTED: Use sulogin --force when locking root account

Some users have found the new behaviour really surprising and
unconvenient, since we switched from using the src:sysvinit to
using the src:util-linux sulogin implementation.

The src:sysvinit implementation used to have a patch that allowed
passwordless root shell when the root account was locked.
The src:util-linux had no such functionality initially, but then
later added it under the --force flag which needs to be passed
explicitly.
Since systemd 240 there's now a simple way to enable passing the
flag if desired.

This commit restores the previous Debian behaviour for new installs
which disables the root account. Since debian by default doesn't
have a locked down secure boot, it's trivial to just pass
init=/bin/bash on the kernel command line in the bootloader.
Someone might however want to manually secure and lock down their system
so by using the overrides hopefully it should be discoverable enough
(via systemd-delta) while also making it possible to avoid sulogin
using --force if desired.

See comments committed in the code for more verbose explanation.

!!!!! BEWARE THIS CHANGE IS COMPLETELY UNTESTED !!!!!

TODO: maybe db_input passwd/sulogin-force should only be run if
db_get passwd/root-locked is TRUE? The question mostly exists
to make it possible for people to disable via preseeding though.