I was able to get it working by adding nginx to the node user's primary group:
gpasswd -a nginx node
And then starting the express server using the following:
// Create the server
fs.stat(listen, function(err) {
if (!err) { fs.unlinkSync(sock); }
http.createServer(app).listen(sock, function(){
fs.chmodSync(sock, '775');
console.log('Express server listening on ' + listen);
});
});
I don't really feel like this is a valid solution, just a hack. Express wasn't built with deleting and setting file perms in mind, and it especially bugs me to have to add the nginx user to the node user's primary group. If there were ever a compromise of the nginx account, the attacker could conceivably have access to all of the application's source, and an avenue to try endless attacks on the code using the socket. The best that I can do is set the umask to 077 for the node user and try to get 100% coverage with a chmod 600 on every file and chmod 700 on every directory, or set the group to the non-default for the user on everything.
That said, I would still appreciate any ideas.