diff --git a/internal/app/spaccount.go b/internal/app/spaccount.go
index 66633d4..7da5436 100644
--- a/internal/app/spaccount.go
+++ b/internal/app/spaccount.go
@@ -14,30 +14,35 @@ func init() { gob.Register(spAccountOp{}) }
 type spAccountOp struct{}
 
 func (s spAccountOp) toSystem(state *outcomeStateSys) error {
-	const fallbackUsername = "chronos"
-
 	// do checks here to fail before fork/exec
 	if state.Container == nil || state.Container.Home == nil || state.Container.Shell == nil {
 		// unreachable
 		return syscall.ENOTRECOVERABLE
 	}
-	if state.Container.Username == "" {
-		state.Container.Username = fallbackUsername
-	} else if !isValidUsername(state.Container.Username) {
+
+	// default is applied in toContainer
+	if state.Container.Username != "" && !isValidUsername(state.Container.Username) {
 		return newWithMessage(fmt.Sprintf("invalid user name %q", state.Container.Username))
 	}
 	return nil
 }
 
 func (s spAccountOp) toContainer(state *outcomeStateParams) error {
+	const fallbackUsername = "chronos"
+
+	username := state.Container.Username
+	if username == "" {
+		username = fallbackUsername
+	}
+
 	state.params.Dir = state.Container.Home
 	state.env["HOME"] = state.Container.Home.String()
-	state.env["USER"] = state.Container.Username
+	state.env["USER"] = username
 	state.env["SHELL"] = state.Container.Shell.String()
 
 	state.params.
 		Place(fhs.AbsEtc.Append("passwd"),
-			[]byte(state.Container.Username+":x:"+
+			[]byte(username+":x:"+
 				state.mapuid.String()+":"+
 				state.mapgid.String()+
 				":Hakurei:"+