Thankfully, the Linux permissions model has two special bits called "suid" and "sgid". When an executable program has the "suid" bit set, it will run on behalf of the owner of the executable, rather than on behalf of the person who started the program.

Now, back to the /etc/passwd problem. If we take a look at the passwd executable, we can see that it's owned by root:

$ ls -l /usr/bin/passwd
-rwsr-xr-x    1 root     wheel       17588 Sep 24 00:53 /usr/bin/passwd

You'll also note that in place of an x in the user's permission triplet, there's an s. This indicates that, for this particular program, the suid and executable bits are set. Because of this, when passwd runs, it will execute on behalf of the root user (with full superuser access) rather than that of the user who ran it. And because passwd runs with root access, it's able to modify the /etc/passwd file with no problem.