From Fedora Project Wiki

Make Rescue Mode Work With Locked Root


Fedora defaults to locking the root account, which is needed by single-user mode. This Change uses sulogin --force so the password request is bypassed under this circumstance.


Current status

  • Targeted release: Fedora Linux 37
  • Last updated: 2022-05-17
  • devel thread
  • FESCo issue: #2713
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

Users typically only use single-user mode in case the normal boot is not working. In the unfortunate situation that it happens, under the current setup they cannot recover without booting from a Fedora live image or another image, or by overriding init=, because our single-user mode requires a root password, and by default we lock the root account.

A more user-friendly setup is to allow the password to be bypassed in case it's not set.

This does not pose an increased security risk: - you can already boot with init=/sysroot/bin/bash anyway - anyone with physical access to a machine can probably compromise it - you can enforce the need for a root password in single-user mode by setting it

This change will be implemented by pre-installing an RPM containing systemd overrides for emergency.service and rescue.service, similar to the CoreOS implementation, so users and editions/variants can opt out by removing this or omitting it from their default installation.


Benefit to Fedora

This Change provides a better out-of-the-box user experience in case they need to rescue their system, by making the rescue option presented in the bootloader actually work.


  • Proposal owners: Ship the needed configuration change in a systemd subpackage. Test and verify that it works, then work with editions and spins to test and enable this by default by making systemd Recommends: (systemd-rescue-defaults if dracut-config-rescue)
  • Other developers: Test this and opt-out if necessary (eg cloud doesn't have a rescue initramfs so the package is deadweight). On variants where dracut-config-rescue is installed but an opt out is desired, excluding the package from installation will prevent it being installed on systemd upgrades
  • Release engineering: #10422
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives: N/A

Upgrade/compatibility impact

Upgrades would pull in this automatically, see [1]

How To Test

- dnf install systemd-rescue-defaults - reboot and verify rescue mode works

User Experience

Rescue mode works out of the box, without resorting to overriding init= or using a live media.


- most changes will be done in the systemd package - for variants that need to opt out we'll need to modify their kickstart files

Contingency Plan

  • Contingency mechanism: if the Recommends have been added to systemd, remove it and potentially add an Obsoletes: to remove older known-bad versions of rescue-defaults
  • Contingency deadline: Beta freeze
  • Blocks release? No


The built-in rescue mode now works out of the box without needing to use a live image. For added security you can set a root password.

Release Notes