diff --git a/README.md b/README.md
index 22c8cafdd0..cd2ac7c9a4 100644
--- a/README.md
+++ b/README.md
@@ -2326,6 +2326,10 @@ Sets [PassengerStartTimeout](https://www.phusionpassenger.com/library/config/apa
 
 Sets [PassengerPreStart](https://www.phusionpassenger.com/library/config/apache/reference/#passengerprestart), the URL of the application if pre-starting is required.
 
+##### `passenger_user`
+
+Sets [PassengerUser](https://www.phusionpassenger.com/library/config/apache/reference/#passengeruser), the running user for sandboxing applications.
+
 ##### `php_flags & values`
 
 Allows per-virtual host setting [`php_value`s or `php_flag`s](http://php.net/manual/en/configuration.changes.php). These flags or values can be overwritten by a user or an application. Default: '{}'.
diff --git a/manifests/vhost.pp b/manifests/vhost.pp
index 4a9614777e..a02e25f144 100644
--- a/manifests/vhost.pp
+++ b/manifests/vhost.pp
@@ -125,6 +125,7 @@
   $passenger_min_instances     = undef,
   $passenger_start_timeout     = undef,
   $passenger_pre_start         = undef,
+  $passenger_user              = undef,
   $add_default_charset         = undef,
   $modsec_disable_vhost        = undef,
   $modsec_disable_ids          = undef,
@@ -276,7 +277,7 @@
     include ::apache::mod::suexec
   }
 
-  if $passenger_app_root or $passenger_app_env or $passenger_ruby or $passenger_min_instances or $passenger_start_timeout or $passenger_pre_start {
+  if $passenger_app_root or $passenger_app_env or $passenger_ruby or $passenger_min_instances or $passenger_start_timeout or $passenger_pre_start or $passenger_user {
     include ::apache::mod::passenger
   }
 
@@ -956,7 +957,8 @@
   # - $passenger_min_instances
   # - $passenger_start_timeout
   # - $passenger_pre_start
-  if $passenger_app_root or $passenger_app_env or $passenger_ruby or $passenger_min_instances or $passenger_start_timeout or $passenger_pre_start {
+  # - $passenger_user
+  if $passenger_app_root or $passenger_app_env or $passenger_ruby or $passenger_min_instances or $passenger_start_timeout or $passenger_pre_start or $passenger_user {
     concat::fragment { "${name}-passenger":
       target  => "${priority_real}${filename}.conf",
       order   => 300,
diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb
index 8bc6c95b2c..405c2a21e8 100644
--- a/spec/defines/vhost_spec.rb
+++ b/spec/defines/vhost_spec.rb
@@ -338,6 +338,7 @@
           'passenger_min_instances'     => '1',
           'passenger_start_timeout'     => '600',
           'passenger_pre_start'         => 'http://localhost/myapp',
+          'passenger_user'              => 'sandbox',
           'add_default_charset'         => 'UTF-8',
           'jk_mounts'                   => [
             { 'mount'   => '/*',     'worker' => 'tcnode1', },
diff --git a/templates/vhost/_passenger.erb b/templates/vhost/_passenger.erb
index 130e769353..91820d3634 100644
--- a/templates/vhost/_passenger.erb
+++ b/templates/vhost/_passenger.erb
@@ -16,3 +16,6 @@
 <% if @passenger_pre_start -%>
   PassengerPreStart <%= @passenger_pre_start %>
 <% end -%>
+<% if @passenger_user -%>
+  PassengerUser <%= @passenger_user %>
+<% end -%>