Fedora already has a built-in mechanism (provided by systemd
) for booting into rescue and emergency modes.
However, those documents have limitations as by default, Fedora (and thus Universal Blue systems), do not set a root
password during install. Thus, when the emergency or rescue mode is reached, the user is shown the error:
Cannot open access to console, the root account is locked.
We’ve improved the situation for all Universal Blue derivatives (including Bazzite and Bluefin) using inspiration from Fedora CoreOS.
Now, when booting to emergency or rescue mode with a locked root account, the user is instead presented a more standard prompt:
Press Enter for maintenance
(or press Control-D to continue):
At this point, pressing Enter will drop the user into the appropriate root shell. SELinux will also be active in this mode (unless it has been disabled by other configuration), so this is a good mode to use if needing to reset your password, etc.
See below for more details:
Booting to Emergency Mode
Emergency mode provides the most minimal environment possible and allows you to repair your system even in situations when the system is unable to enter rescue mode. In emergency mode, the system mounts the root
file system only for reading, does not attempt to mount any other local file systems, does not activate network interfaces, and only starts few essential services.
- Press Esc on the keyboard to reach the GRUB boot menu.
a. If you press Esc too many times, you may end up at agrub>
prompt.
b. Return to the boot menu by typingexit
and pressing Enter - Select the desired deployment (the top entry is generally correct) and edit by pressing E on the keyboard.
- Arrow down to the line starting with
linux
and press Ctrl+E to reach the end of the line. - Add the word
emergency
to the end of the line.
a. Ensure there is a space betweenemergency
and the pre-existing text.
b. Equivalent parameters-b
andsystemd.unit=emergency.target
may be added instead ofemergency
. - Press Ctrl+X to boot the system.
Booting to Rescue Mode
Rescue mode provides a convenient single-user environment and allows you to repair your system in situations when it is unable to complete a normal booting process. In rescue mode, the system attempts to mount all local file systems and start some important system services, but it does not activate network interfaces or allow more users to be logged into the system at the same time. In Fedora, rescue mode is equivalent to single user mode.
- Press Esc on the keyboard to reach the GRUB boot menu.
a. If you press Esc too many times, you may end up at agrub>
prompt.
b. Return to the boot menu by typingexit
and pressing Enter - Select the desired deployment (the top entry is generally correct) and edit by pressing E on the keyboard.
- Arrow down to the line starting with
linux
and press Ctrl+E to reach the end of the line. - Add the word
single
to the end of the line.
a. Ensure there is a space betweensingle
and the pre-existing text.
b. Equivalent parameters1
,s
,S
, andsystemd.unit=rescue.target
may be added instead ofsingle
. - Press Ctrl+X to boot the system.
Root shell with no password! How can this be secure?
This improvement is implemented such that a user must have the ability to edit the kernel command line. If your bootloader (eg, GRUB) is configured with a password preventing users from modifying the kernel command line, bypassing the password for a locked root account will not be enabled. This is especially important since emergency
mode can be reached when a filesystem check fails at boot time, not just when specified on the kernel command line.
Given this safeguard, this improved rescue & emergency method is just as secure as setting init=/bin/bash
, etc. Plus, it is less likely a user will damage SELinux labels using this method.
Thanks to Colin Walters and Timothée Ravier for inspiring this solution.