Not to be confused:
- A) dracut recovery shell [This topic]
- B) Linux recovery mode (Single-User Mode) [somewhat related, but not the same]
This topic overlaps very much with Harden GRUB bootloader using bootloader password.
If protecting all GRUB bootloader boot menu entries, is there still a point in disabling dracut recovery shell?
Specifically, since there is a Linux recovery mode boot menu entry anyhow.
A theoretic argument could be made “if an attacker can bypass GRUB passwords”, but these minor Protection against Physical Attacks measures help against weak adversaries. An advanced adversary that could in theory bypass the bootloader password, would probably bother with neither GRUB passwords, dracut recovery shell nor Linux recovery mode but instead use Malicious Hardware Modifications, Side Channel Attacks or similar.
related: