Exactly; way back when, there was only /etc/passwd, but in order for users to be able to edit their settings, it was world readable, NOT a good thing.
Later on, it was decided to create /etc/shadow and put the actual passwd (and add aging info) into /etc/shadow.
The passwd cmd runs as root, using suid bit.
So, (on the solaris box in front of me) we have
-rw-r--r-- 1 root sys 1466 Jul 12 09:51 /etc/passwd
-r-------- 1 root sys 765 Jul 12 09:51 /etc/shadow
-r-sr-sr-x 1 root sys 27220 Jan 23 2005 /usr/bin/passwd
Check your system, should look very similar.