No, it isn't because of tainting because fairly recent CGI.pm defines:

sub remote_user {
    return $ENV{'REMOTE_USER'};
}
[download]

I advocate using CGI.pm's remote_user() because if, for example, a "broken" web server becomes popular that puts this information into $ENV{AUTHEN_USER} and not $ENV{REMOTE_USER}, then CGI.pm is likely to get updated to take this into consideration and you won't have to fix all of the places you used $ENV{REMOTE_USER} directly (nor waste time discovering the bug in your new server), etc.

        - tye (but my friends call me "Tye")