diff --git a/config/chroot_local-includes/etc/udev/rules.d/99-boot-dev-ownership.rules b/config/chroot_local-includes/etc/udev/rules.d/99-boot-dev-ownership.rules
new file mode 100644
index 0000000000000000000000000000000000000000..0073bae90ee3af43071f03388407d1fbd25c2e9c
--- /dev/null
+++ b/config/chroot_local-includes/etc/udev/rules.d/99-boot-dev-ownership.rules
@@ -0,0 +1,6 @@
+# Fix for Debian bug #645466.
+# Note: Must be applied after /lib/udev/rules.d/91-permissions.rules
+
+SUBSYSTEM=="block", SUBSYSTEMS=="usb", \
+	IMPORT{program}="/usr/local/sbin/udev-boot-dev-helper %k"
+SUBSYSTEM=="block", SUBSYSTEMS=="usb", ENV{IS_ON_BOOT_DEV}=="yes", GROUP="disk"
diff --git a/config/chroot_local-includes/lib/live/config/9980-permissions b/config/chroot_local-includes/lib/live/config/9980-permissions
index d446bf82cf076edd87f59458f5eb71bc02482401..2205be2a38d03ded34760c342c124ef348e6e0bd 100755
--- a/config/chroot_local-includes/lib/live/config/9980-permissions
+++ b/config/chroot_local-includes/lib/live/config/9980-permissions
@@ -1,39 +1,9 @@
 #!/bin/sh
 
-Fix_debian_bug_645466 ()
-{
-	# Fix bugs/writable_system_disk:_belongs_to_floppy_group (Debian
-	# bug #645466). Short story: udev sets a USB boot device's group
-	# ownership to 'floppy' making it writable by the live user. To
-	# prevent this we set it to 'disk'.
-
-	boot_dev_id=$(udevadm info --device-id-of-file=/lib/live/mount/medium)
-	boot_dev=$(readlink -f /dev/block/"${boot_dev_id}")
-	boot_dev_type=$(udevadm info --query=property --name="${boot_dev}" | \
-	                awk -F'=' '/ID_BUS/ { print $2 }')
-	if [ "${boot_dev_type}" != usb ]; then
-		return
-	fi
-	boot_dev_group=$(stat -c %G "${boot_dev}")
-	if [ "${boot_dev_group}" != disk ]; then
-		chgrp disk "${boot_dev}"
-		parent_path=$(udevadm info --query=property --name="${boot_dev}" | \
-		              awk -F'=' '/UDISKS_PARTITION_SLAVE/ { print $2 }')
-		if [ -n "${parent_path}" ]; then
-			parent_name=$(udevadm info --query=name --path="${parent_path}")
-			if [ -n "${parent_name}" ]; then
-				parent_dev=/dev/${parent_name}
-				chgrp disk "${parent_dev}"*
-			fi
-		fi
-	fi
-}
-
 Fix_permissions ()
 {
 	echo "- fixing permissions"
 	chown -R "${LIVE_USERNAME}":"${LIVE_USERNAME}" "/home/${LIVE_USERNAME}"
-	Fix_debian_bug_645466
 
 	# Creating state file
 	touch /var/lib/live/config/permissions
diff --git a/config/chroot_local-includes/usr/local/sbin/udev-boot-dev-helper b/config/chroot_local-includes/usr/local/sbin/udev-boot-dev-helper
new file mode 100755
index 0000000000000000000000000000000000000000..434760129f64a202559bd6a78d3817d9c7c582ce
--- /dev/null
+++ b/config/chroot_local-includes/usr/local/sbin/udev-boot-dev-helper
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+# Turns out we cannot use function using `udevadm` in this library for
+# this script since it's used in an udev rule; at that time the udev
+# database isn't finished and any queries in it cannot be trusted.
+. /usr/local/lib/tails-shell-library/boot.sh
+
+# XXX: This code is pretty crude thanks to not having udev to query
+# for the parent device. In Wheezy with its newer blkid we'll be able
+# to determine the parent device more reliably, if we care.
+boot_part_id=$(mountpoint -d "${BOOT_IMAGE}")
+boot_part=$(dev_id_to_block_dev "${boot_part_id}")
+boot_dev=$(echo ${boot_part} | sed 's/[0-9]*$//')
+if [ -b "${boot_dev}" ] && \
+    echo ${boot_dev} | grep -q "^/dev/sd[a-z]$" && \
+    echo /dev/$1 | grep -q "^${boot_dev}"; then
+        echo IS_ON_BOOT_DEV=yes
+fi