Is there a way not to keep bootstrap.json with MySQL credentials hosted on the server?
Visiting my_host/data/plugins/boot.conf/bootstrap.json will show MySQL password in plain text!
I’m using pydio 6.4 and would like to avoid switching to newer versions.
Is there a way do remove bootstrap.json from being accessible by anyone?
You should not be able to see bootstrap.json if you have correctly configured .htaccess file on that directory (or on it’s parent one)
If you are able to see file content, either you missed to copy default .htaccess
(which contains deny from all), or the relevant option in your webserver configuration is missing
for apache it should be “AllowOverride all” for the directory in which pydio is installed.
A possible solution if you are not able to modify website config, is to move data directory out of server root modifying conf/bootstrap_context.php.
Instead if you do not want to set AllowOverride all, but you are able to modify web server config is to set a “deny from all” on the data dir and also on the conf one.
Any way keep in mind that not enabling AllowOverride all will probably stop also rewrite rules (as normally the RewriteEngine is off), so at least you will need an AllowOverride fileinfo for the pydio dir.