We are trying to improve our webserver security and force as many files as possible to have 0644 permissions by root:www-data so Apache only has write permissions to specific directories and files.
The problem is that we run a mod_dav webdav server on the same apache installation that we use to push remote files, via a virtual host so all files updated through that are created/modified as apache's user (www-data in our case).
I know previous Apache versions could assign a different user in vhosts (old assignuserid) via a directive but I understand that on 2.2 versions this is only possible using something like mpm-itk engine (a fork of prefork with support for users on vhosts).
This root sounds a bit too complicated for us in the long term (updates, support for the modules, etc) so we would appreciate any help/suggestions to find other alternatives to either user use or a separate webdav file server .
You could run your webdav service using fcgi from Apache. Use one of the many third party webdav servers available such as this one.
You can run the fcgi program as root if you want to. Although from a security point of view, that's a pretty bad idea.