If memory serves this has something to do with the setuid and setgid flags. If you run the command:
ls -alh $(which passwd)
You should see something like this in the permissions part of the listing for the passwd executable:
The s in the 4th position indicates that the setuid flag is set. This allows any user to run the executable as the files owner (root) without having to actually be root (and with no need to use sudo either).
Because of this - the passwd program is able to write an ordinary, unprivileged users new password to /etc/shadow.
I do know that unprivileged users can only change the password for their own account. So there must be some code in passwd that checks who is running the program.
If the user running the program is an ordinary user, it only allows the user to change their own password. But if the user who started the process is root (by either running directly as root, or via sudo) - then it will allow you to change the password for ANY account.
So as far as I know, it's the setuid flag that allows /etc/shadow to be written to when running passwd as an ordinary user.
There is another flag similar to setuid called setgid. When set, that will allow a program to run as whatever group is assigned to the program.
I'm not sure, but this flag might also be set too!